Submit Search
Upload
Moby SIG Orchestration Security Summit Presentation
•
1 like
•
1,128 views
Diogo Mónica
Follow
My talk at the Moby SIG Orchestration Security Summit Presentation. https://diogomonica.com
Read less
Read more
Internet
Report
Share
Report
Share
1 of 33
Download now
Download to read offline
Recommended
MTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
Bletchley
Bletchley
Diogo Mónica
Basics of ssl
Basics of ssl
n|u - The Open Security Community
State of the Web
State of the Web
CASCouncil
OpenSSL
OpenSSL
Timbal Mayank
SSL overview
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
F5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
Configuring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA Firewalls
Kelvin Charles
Recommended
MTLS in a Microservices World
MTLS in a Microservices World
Diogo Mónica
Bletchley
Bletchley
Diogo Mónica
Basics of ssl
Basics of ssl
n|u - The Open Security Community
State of the Web
State of the Web
CASCouncil
OpenSSL
OpenSSL
Timbal Mayank
SSL overview
SSL overview
Todd Benson (I.T. SPECIALIST and I.T. SECURITY)
F5 TLS & SSL Practices
F5 TLS & SSL Practices
Brian A. McHenry
Configuring Site-to-Site VPN's on ASA Firewalls
Configuring Site-to-Site VPN's on ASA Firewalls
Kelvin Charles
How do private transactions work on Quorum
How do private transactions work on Quorum
Chainstack
SSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
Cloudflare
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
SSl/TLS Analysis
SSl/TLS Analysis
Duduman Bogdan Vlad
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
NoNameCon
Securing Data in Transit -
Securing Data in Transit -
wolfSSL
Ssl in a nutshell
Ssl in a nutshell
Frank Kelly
Botconf ppt
Botconf ppt
Cloudflare
SSL & TLS Architecture short
SSL & TLS Architecture short
Avirot Mitamura
SSL/TLS
SSL/TLS
pavansmiles
Sniffing SSL Traffic
Sniffing SSL Traffic
dkaya
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
SSL
SSL
Duy Do Phan
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
barcamp.my
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
Priyanka Aash
MQTT security
MQTT security
Anthony Chow
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
Laurentiu Meirosu
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica
Docker, Inc.
More Related Content
What's hot
How do private transactions work on Quorum
How do private transactions work on Quorum
Chainstack
SSL Secure socket layer
SSL Secure socket layer
Ahmed Elnaggar
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
Cloudflare
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
Cloudflare
SSl/TLS Analysis
SSl/TLS Analysis
Duduman Bogdan Vlad
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
NoNameCon
Securing Data in Transit -
Securing Data in Transit -
wolfSSL
Ssl in a nutshell
Ssl in a nutshell
Frank Kelly
Botconf ppt
Botconf ppt
Cloudflare
SSL & TLS Architecture short
SSL & TLS Architecture short
Avirot Mitamura
SSL/TLS
SSL/TLS
pavansmiles
Sniffing SSL Traffic
Sniffing SSL Traffic
dkaya
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Brian Ritchie
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
Bangladesh Network Operators Group
SSL
SSL
Duy Do Phan
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
MyNOG
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Shain Singh
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
barcamp.my
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
Priyanka Aash
MQTT security
MQTT security
Anthony Chow
What's hot
(20)
How do private transactions work on Quorum
How do private transactions work on Quorum
SSL Secure socket layer
SSL Secure socket layer
Sullivan heartbleed-defcon22 2014
Sullivan heartbleed-defcon22 2014
Sullivan red october-oscon-2014
Sullivan red october-oscon-2014
SSl/TLS Analysis
SSl/TLS Analysis
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Stanislav Kolenkin & Igor Khoroshchenko - Knock Knock: Security threats with ...
Securing Data in Transit -
Securing Data in Transit -
Ssl in a nutshell
Ssl in a nutshell
Botconf ppt
Botconf ppt
SSL & TLS Architecture short
SSL & TLS Architecture short
SSL/TLS
SSL/TLS
Sniffing SSL Traffic
Sniffing SSL Traffic
Introduction to SSL and How to Exploit & Secure
Introduction to SSL and How to Exploit & Secure
Protection and Visibitlity of Encrypted Traffic by F5
Protection and Visibitlity of Encrypted Traffic by F5
SSL
SSL
Zero Day Malware Detection/Prevention Using Open Source Software
Zero Day Malware Detection/Prevention Using Open Source Software
Decrypting and Selectively Inspecting Modern Traffic
Decrypting and Selectively Inspecting Modern Traffic
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
Ahmad Siddiq Wi-Fi Ninjutsu Exploitation
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
MQTT security
MQTT security
Similar to Moby SIG Orchestration Security Summit Presentation
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
Laurentiu Meirosu
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica
Docker, Inc.
Student packet tracer manual v1.1
Student packet tracer manual v1.1
milkux
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
OlinData
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
Trivadis
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
Felipe Prado
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
nishchal29
Alfresco Certificates
Alfresco Certificates
Angel Borroy López
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
Amazon Web Services
Openssl
Openssl
Adam Moravcik
Securing Millions of Devices
Securing Millions of Devices
Kai Hudalla
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
Puma Security, LLC
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
sonjeku1
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8
Michal Balinski
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)
Maarten Mulders
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
Continuent
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Yossi Sassi
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Julien Vermillard
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
Jisc
Similar to Moby SIG Orchestration Security Summit Presentation
(20)
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
MTLS - Securing Microservice Architecture with Mutual TLS Authentication
Orchestrating Least Privilege by Diogo Monica
Orchestrating Least Privilege by Diogo Monica
Student packet tracer manual v1.1
Student packet tracer manual v1.1
Issuing temporary credentials for my sql using hashicorp vault
Issuing temporary credentials for my sql using hashicorp vault
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
TechEvent 2019: Wie sichere ich eigentlich Kafka ab?; Markus Bente - Trivadis
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
SSL Implementation - IBM MQ - Secure Communications
SSL Implementation - IBM MQ - Secure Communications
Alfresco Certificates
Alfresco Certificates
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
February 2016 Webinar Series - Best Practices for IoT Security in the Cloud
Openssl
Openssl
Securing Millions of Devices
Securing Millions of Devices
Defending Serverless Infrastructure in the Cloud RSAC 2020
Defending Serverless Infrastructure in the Cloud RSAC 2020
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-La...
Practical non blocking microservices in java 8
Practical non blocking microservices in java 8
SSL/TLS for Mortals (JavaZone)
SSL/TLS for Mortals (JavaZone)
Training Slides: 302 - Securing Your Cluster With SSL
Training Slides: 302 - Securing Your Cluster With SSL
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
InSecure Remote Operations - NullCon 2023 by Yossi Sassi
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?
Swift Install Workshop - OpenStack Conference Spring 2012
Swift Install Workshop - OpenStack Conference Spring 2012
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
EAP TLS, the Rolls-Royce of extensible authentication protocol (EAP) methods ...
More from Diogo Mónica
Cloud conf keynote - Orchestrating Least Privilege
Cloud conf keynote - Orchestrating Least Privilege
Diogo Mónica
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
Diogo Mónica
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Diogo Mónica
PhD Thesis Diogo Mónica
PhD Thesis Diogo Mónica
Diogo Mónica
An IDS for browser hijacking
An IDS for browser hijacking
Diogo Mónica
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
Diogo Mónica
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
Diogo Mónica
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Diogo Mónica
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Diogo Mónica
WiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detection
Diogo Mónica
On the use of radio resource tests in wireless ad hoc networks
On the use of radio resource tests in wireless ad hoc networks
Diogo Mónica
MultiPath TCP - The path to multipath
MultiPath TCP - The path to multipath
Diogo Mónica
More from Diogo Mónica
(12)
Cloud conf keynote - Orchestrating Least Privilege
Cloud conf keynote - Orchestrating Least Privilege
Secure Software Distribution in an Adversarial World
Secure Software Distribution in an Adversarial World
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
Web Summit 2015 - Enterprise stage - Cloud, Open-Source, Security
PhD Thesis Diogo Mónica
PhD Thesis Diogo Mónica
An IDS for browser hijacking
An IDS for browser hijacking
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
From 0 to 0xdeadbeef - security mistakes that will haunt your startup
ESORICS 2014: Local Password validation using Self-Organizing Maps
ESORICS 2014: Local Password validation using Self-Organizing Maps
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Leveraging Honest Users: Stealth Command-and-Control of Botnets
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
Observable Non-Sybil Quorums Construction in One-Hop Wireless Ad Hoc Networks
WiFiHop - mitigating the Evil twin attack through multi-hop detection
WiFiHop - mitigating the Evil twin attack through multi-hop detection
On the use of radio resource tests in wireless ad hoc networks
On the use of radio resource tests in wireless ad hoc networks
MultiPath TCP - The path to multipath
MultiPath TCP - The path to multipath
Recently uploaded
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
divyansh0kumar0
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
kojalkojal131
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
SofiyaSharma5
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
soniya singh
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
shivangimorya083
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
ishabajaj13
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
babeytanya
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Call girls in Ahmedabad High profile
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
aditipandeya
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
James Anderson
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
APNIC
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
APNIC
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
soniya singh
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
anamikaraghav4
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
anamikaraghav4
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
Damian Radcliffe
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
anamikaraghav4
Recently uploaded
(20)
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
VIP Kolkata Call Girl Dum Dum 👉 8250192130 Available With Room
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Low Rate Young Call Girls in Sector 63 Mamura Noida ✔️☆9289244007✔️☆ Female E...
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
Delhi Call Girls Rohini 9711199171 ☎✔👌✔ Whatsapp Hard And Sexy Vip Call
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 22 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Rohini Sector 6 Call Girls Delhi 9999965857 @Sabina Saikh No Advance
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Call Girls In Mumbai Central Mumbai ❤️ 9920874524 👈 Cash on Delivery
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
VIP 7001035870 Find & Meet Hyderabad Call Girls Dilsukhnagar high-profile Cal...
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Saket Delhi 💯Call Us 🔝8264348440🔝
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Samaira 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
Low Rate Call Girls Kolkata Avani 🤌 8250192130 🚀 Vip Call Girls Kolkata
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Moby SIG Orchestration Security Summit Presentation
1.
[SIG] Orchestration Security
🔒 @diogomonica
2.
Current Initiatives 1.External Secrets 2.Service
Identities 3.Entitlements
3.
Least-privilege container orchestration
4.
Secure Node Introduction swarmKit SWMTKN-1-mx8suomaom825bet6-cm6zts22rl4hly2 Known Prefix Token Version Hash of Root
CA Random Secret
5.
Cryptographic Node Identity swarmKit
6.
MTLS Between All Nodes swarmKit Worker Manager TLS TLS Certificate Authority Worker Manager TLS TLS Certificate Authority Worker Manager TLS TLS Certificate Authority
7.
Worker Manager Raft Store Worker Manager Raft Store Worker Manager Raft
Store swarmKit Least-privilege Secret Distribution
8.
Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker
Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
9.
Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker
Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
10.
Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker
Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
11.
Transparent Root Rotation swarmKit Worker Worker Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Worker Manager Certificate Authority Worker
Worker TLS TLS TLS TLS Worker Manager Certificate Authority Worker Worker TLS TLS TLS TLS Add Remove Worker Manager TLS Certificate Authority Worker TLS Worker TLS Worker TLS TLS Renew 1 2 34
12.
External Secrets
13.
External Store Worker Manager Raft Store Swarm Plugin Secrets stored
in Raft by default
14.
Dynamic generation of secrets External Store Worker Manager Raft
Store Swarm Plugin
15.
Secure last-mile delivery of
secrets External Store Worker Manager Raft Store Swarm Plugin
16.
Community Participants
17.
Service Identities
18.
One Node, One ID
19.
One App Instance, One
ID
20.
Every service call is authorized
and authenticated CN=api01 OU=web-api O=production CN=db01 OU=credit-card-db O=production
21.
mTLS Nginx ClientHello ServerHello Certificate Client Cert Req ServerHello
Done Certificate Cert Verify Nginx
22.
mTLS - the
good 1.Key-material stays secret 2.Supported everywhere 3.Authentication and Encryption
23.
mTLS - the
bad 1.A LOT of certs 2.Confusing for developers 3.No good revocation story 4.Running a PKI is hard 5.Unforgiving
24.
Least-privilege resource access [ { "permission": {
"method": "GET", "resource": "/user" }, "allow": ["web", "fulfillment", "payments"] }, { "permission": { "method": "POST", "resource": "/user" }, "allow": ["signup", "web"] }, { "permission": { "method": "DELETE", "resource": "/user/.*" }, "allow": ["web"] }]
25.
SPIFFE as the identity
26.
Entitlements
27.
Capabilities runC
28.
• Namespace Isolation •
Cgroups runC PID Namespaces MNT IPC NET Cgroups … CPU BLKIO MEM PIDS …
29.
Linux Security Modules runC 1.AppArmor 2.SELinux 3.Smack 4.TOMOYO 5.YAMA
30.
Seccomp-bpf runC Debian Alpine { "defaultAction": "SCMP_ACT_ERRNO", "architectures": [ "SCMP_ARCH_X86_64", ], "syscalls":
[ { "name": "accept", "action": "SCMP_ACT_ALLOW", "args": [] }, { "name": "accept4", "action": "SCMP_ACT_ALLOW", "args": [] }, ... ] }
31.
A better way Debian Alpine libentitlement
is designed to be a library managing container security profiles. It provides a way to register specific grants that add or remove constraints on those profiles. https://github.com/docker/libentitlement
32.
Future Initiatives 1.Service Mesh 2.Untrusted
Managers
33.
Join us! 1.#orchestration-sec on
Slack 2.Monday meetings 10am PST
Download now