SlideShare a Scribd company logo

Securing Containers - Sathyajit Bhat - Adobe - Container Conference 18

CodeOps Technologies LLP
CodeOps Technologies LLP

This presentation was made by Sathyajith Bhat, Senior DevOps Engineer, Adobe as part of Container Conference 2018. Securing Containers: "Containers have almost become the ubiquitous method of packaging and deploying applications. While containers are perceived to be completed isolated and secure methods of running your application, the reality is that containers are not completely foolproof and are susceptible to many attack vectors. This session takes a look at the attack vectors and different ways to mitigate them." www.containerconf.in

Software
1 of 27
Download to read offline
© 2018 Adobe Systems Incorporated. All Rights Reserved. Securing Containers Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O
© 2018 Adobe Systems Incorporated. All Rights Reserved. 2 $whoami § Sathyajith Bhat § Senior DevOps Engineer - Adobe I/O § Organizer, Bangalore AWS Users’ Group § Author - Practical Docker with Python
© 2018 Adobe Systems Incorporated. All Rights Reserved. 3 Run this for me. sudo docker run -v /:/app sathyabhat/demo cat /tmp/demo.log
© 2018 Adobe Systems Incorporated. All Rights Reserved. 4 Adobe I/O § Adobe I/O is the place for developers looking to integrate, extend, or create apps and experiences based on Adobe's products and technologies. § Adobe I/O API Gateway § A performant API Gateway based on Nginx and Openresty § 1.5 billion+ API calls per day § Adobe I/O Events § An event notification service to inform subscribing systems of near real-time events happening in Adobe services. § Adobe I/O Runtime § A serverless platform(currently in private beta) based on Apache OpenWhisk which allows a developer to execute code on Adobe's infrastructure.
© 2018 Adobe Systems Incorporated. All Rights Reserved. Containers - How We Perceive 5 Photo Courtesy: Sam MacCutchan, Flickr
© 2018 Adobe Systems Incorporated. All Rights Reserved. Containers - How They Tend to Be 6 Photo Courtesy: Kazuyoshi Kato, Flickr
© 2018 Adobe Systems Incorporated. All Rights Reserved. Threats to Containers § From Docker Hosts § From noisy neighbours § From within containers § From external world § From within the application 7
© 2018 Adobe Systems Incorporated. All Rights Reserved. Different mechanisms § Control Groups (cgroups) § Namespaces § Kernel Capabilities § Seccomp § Image Security § Vulnerability Scanning 8
© 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups § Group, Limit & isolate resource utilization § Resources that can be controlled: CPU, Memory, Disk, Network § cgroups Docker uses: § Memory § HugeTBL § CPU § CPUSet § BlkIO § Devices § /sys/fs/cgroups 9
© 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups § Applying limits § docker run --cpus=”0.5” § docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024) § docker run --memory=2g § docker run --oom-kill-disable (!!) § docker run --device-read-iops § docker run --device-write-iops § Custom cgroup? § Yes! docker run --cgroup-parent 10
© 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces § Abstraction which makes a process appear they are isolated § Controls what processes can see § Different types of namespaces: § Mount § PID § UTS § IPC § Network § User 11
© 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces - User Namespace Remapping § Remap a user with a container to another user on the Host § Remap privileged user within container to non-privileged one outside host § Enabling remapping: § dockerd --userns-remap=”remap-user:remap-group” § Or, edit daemon.json { userns-remap: “remap-user” } 12
© 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces - User Namespace Remapping Caveats § Ensure the users/groups are created & associated with your user § Enable/Disable it on a new Docker install than existing one § Can no longer user --pid=host or --network=host 13
© 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp § Secure Mode Computing § Kernel feature, restricts syscalls that a process can do § Create custom profiles, pass a different profile for each container § Default seccomp policy for Docker § Disables 44 system calls of 300+ system calls 14
© 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp Pre-requisites: § Check for kernel support § grep CONFIG_SECCOMP=/boot/config-$(uname -r) § Apply seccomp § docker run § ??? § Seccomp is applied by default! § Verify with docker info 15
© 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp § Create custom profiles as json § docker run --security-opt seccomp=profile.json § How to find what syscalls are in place? § strace (Linux) § dtruss (macOS) 16
© 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) cat seccomp-profile.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chown", "action": "SCMP_ACT_ERRNO" }, { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } 17
© 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) / # echo "rm -rf" > fluffy_kittens.sh / # chmod u+x fluffy_kittens.sh chmod: fluffy_kittens.sh: Operation not permitted 18
© 2018 Adobe Systems Incorporated. All Rights Reserved. Kernel Capabilities § Drop unnecessary capabilities from the container § Alternatively, provide necessary ones § Don’t need chown capability? Drop it § docker run --cap-drop=chown 19
© 2018 Adobe Systems Incorporated. All Rights Reserved. AppArmor § Mandatory Access Control § Why? § Unix permissions allow for R/W/X § No fine grained permissions § Why should your application look at other logs? § Docker expects AppArmor policies to be loaded on Docker host 20
© 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities § Images are still software - and old, if not rebuilt § Heartbleed § Vulnerability in openSSL § Ghost § Vulnerability in glibc 21
© 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities Vulnerability Scanners § Clair (CoreOS) § Twistlock § Aqua Container Security § Sysdig Falco 22
© 2018 Adobe Systems Incorporated. All Rights Reserved. Trusted Images § Don’t use images blindly § Host the images in private/self-hosted registry § Publishing to Docker Hub? Enable Docker Content Trust 23
© 2018 Adobe Systems Incorporated. All Rights Reserved. Docker Content Trust § Enable content trust § export DOCKER_CONTENT_TRUST=1 § Images must have content signatures § Trust is managed by use of signing keys § Offline key: Root of content trust § Repository key for signing tags § Server managed Timestamp key 24
© 2018 Adobe Systems Incorporated. All Rights Reserved. References § Kernel Capabilities § Tutorial on Creating AppArmor Profiles § Docker Security Docs § Sysadmin Casts - Linux Control Groups § Searchable Syscall Table § Google Chrome Seccomp Sandbox Implementation Doc § User Namespaces in Docker Engine 25
© 2018 Adobe Systems Incorporated. All Rights Reserved. Thanks! § Twitter - sathyabhat § Email: sabhat@adobe.com § https://www.adobe.io | @adobeio 26
Securing Containers - Sathyajit Bhat - Adobe - Container Conference 18

Recommended

Java is Container Ready - Vaibhav - Container Conference 2018
Java is Container Ready - Vaibhav - Container Conference 2018Java is Container Ready - Vaibhav - Container Conference 2018
Java is Container Ready - Vaibhav - Container Conference 2018CodeOps Technologies LLP
 
Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...
Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...
Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...CodeOps Technologies LLP
 
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18CodeOps Technologies LLP
 
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18CodeOps Technologies LLP
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18CodeOps Technologies LLP
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview Krishna-Kumar
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetesdtoledo67
 

Recommended

Java is Container Ready - Vaibhav - Container Conference 2018
Java is Container Ready - Vaibhav - Container Conference 2018Java is Container Ready - Vaibhav - Container Conference 2018
Java is Container Ready - Vaibhav - Container Conference 2018CodeOps Technologies LLP
 
Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...
Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...
Evolve or Fall Behind: Driving Transformation with Containers - Sai Vennam - ...CodeOps Technologies LLP
 
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18
Power of Choice in Docker EE 2.0 - Anoop - Docker - CC18CodeOps Technologies LLP
 
Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18Virtualized Containers - How Good is it - Ananth - Siemens - CC18
Virtualized Containers - How Good is it - Ananth - Siemens - CC18CodeOps Technologies LLP
 
Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18Kubernetes Networking - Sreenivas Makam - Google - CC18
Kubernetes Networking - Sreenivas Makam - Google - CC18CodeOps Technologies LLP
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview Krishna-Kumar
 
Kubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesKubernetes Concepts And Architecture Powerpoint Presentation Slides
Kubernetes Concepts And Architecture Powerpoint Presentation SlidesSlideTeam
 
Meetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on KubernetesMeetup 12-12-2017 - Application Isolation on Kubernetes
Meetup 12-12-2017 - Application Isolation on Kubernetesdtoledo67
 
Sf bay area Kubernetes meetup dec8 2016 - deployment models
Sf bay area Kubernetes meetup dec8 2016 - deployment modelsSf bay area Kubernetes meetup dec8 2016 - deployment models
Sf bay area Kubernetes meetup dec8 2016 - deployment modelsPeter Ss
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013aspyker
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Monitoring on Kubernetes using Prometheus - Chandresh
Monitoring on Kubernetes using Prometheus - Chandresh Monitoring on Kubernetes using Prometheus - Chandresh
Monitoring on Kubernetes using Prometheus - Chandresh CodeOps Technologies LLP
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioAraf Karsh Hamid
 
Kubernetes Architecture - beyond a black box - Part 1
Kubernetes Architecture - beyond a black box - Part 1Kubernetes Architecture - beyond a black box - Part 1
Kubernetes Architecture - beyond a black box - Part 1Hao H. Zhang
 
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWS
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWSServerless Architectural Patterns 
and Best Practices - Madhu Shekar - AWS
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWSCodeOps Technologies LLP
 
Kubernetes best practices
Kubernetes best practicesKubernetes best practices
Kubernetes best practicesBill Liu
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
 
Production ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesProduction ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesChandresh Pancholi
 
Kubernetes for Serverless - Serverless Summit 2017 - Krishna Kumar
Kubernetes for Serverless - Serverless Summit 2017 - Krishna KumarKubernetes for Serverless - Serverless Summit 2017 - Krishna Kumar
Kubernetes for Serverless - Serverless Summit 2017 - Krishna KumarCodeOps Technologies LLP
 
Play Support in Cloud Foundry
Play Support in Cloud FoundryPlay Support in Cloud Foundry
Play Support in Cloud Foundryrajdeep
 
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...Docker, Inc.
 
Infrastructure as code
Infrastructure as codeInfrastructure as code
Infrastructure as codeAxel Quack
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17Mario-Leander Reimer
 
Azure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesAzure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesWojciech Barczyński
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...Docker, Inc.
 
Docker on AWS - the Right Way
Docker on AWS - the Right WayDocker on AWS - the Right Way
Docker on AWS - the Right WayAllCloud
 
Securing containers
Securing containersSecuring containers
Securing containersSathyajith Bhat
 
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For DevelopmentLaura Frank Tacho
 

More Related Content

What's hot

Sf bay area Kubernetes meetup dec8 2016 - deployment models
Sf bay area Kubernetes meetup dec8 2016 - deployment modelsSf bay area Kubernetes meetup dec8 2016 - deployment models
Sf bay area Kubernetes meetup dec8 2016 - deployment modelsPeter Ss
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013aspyker
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeCodeOps Technologies LLP
 
Monitoring on Kubernetes using Prometheus - Chandresh
Monitoring on Kubernetes using Prometheus - Chandresh Monitoring on Kubernetes using Prometheus - Chandresh
Monitoring on Kubernetes using Prometheus - Chandresh CodeOps Technologies LLP
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioAraf Karsh Hamid
 
Kubernetes Architecture - beyond a black box - Part 1
Kubernetes Architecture - beyond a black box - Part 1Kubernetes Architecture - beyond a black box - Part 1
Kubernetes Architecture - beyond a black box - Part 1Hao H. Zhang
 
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWS
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWSServerless Architectural Patterns 
and Best Practices - Madhu Shekar - AWS
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWSCodeOps Technologies LLP
 
Kubernetes best practices
Kubernetes best practicesKubernetes best practices
Kubernetes best practicesBill Liu
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDocker, Inc.
 
Production ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesProduction ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesChandresh Pancholi
 
Kubernetes for Serverless - Serverless Summit 2017 - Krishna Kumar
Kubernetes for Serverless - Serverless Summit 2017 - Krishna KumarKubernetes for Serverless - Serverless Summit 2017 - Krishna Kumar
Kubernetes for Serverless - Serverless Summit 2017 - Krishna KumarCodeOps Technologies LLP
 
Play Support in Cloud Foundry
Play Support in Cloud FoundryPlay Support in Cloud Foundry
Play Support in Cloud Foundryrajdeep
 
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...Docker, Inc.
 
Infrastructure as code
Infrastructure as codeInfrastructure as code
Infrastructure as codeAxel Quack
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDocker, Inc.
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17Mario-Leander Reimer
 
Azure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesAzure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesWojciech Barczyński
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Codemotion
 
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...Docker, Inc.
 
Docker on AWS - the Right Way
Docker on AWS - the Right WayDocker on AWS - the Right Way
Docker on AWS - the Right WayAllCloud
 

What's hot (20)

Sf bay area Kubernetes meetup dec8 2016 - deployment models
Sf bay area Kubernetes meetup dec8 2016 - deployment modelsSf bay area Kubernetes meetup dec8 2016 - deployment models
Sf bay area Kubernetes meetup dec8 2016 - deployment models
 
NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013NetflixOSS for Triangle Devops Oct 2013
NetflixOSS for Triangle Devops Oct 2013
 
Securing Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - AdobeSecuring Containers - Sathyajit Bhat - Adobe
Securing Containers - Sathyajit Bhat - Adobe
 
Monitoring on Kubernetes using Prometheus - Chandresh
Monitoring on Kubernetes using Prometheus - Chandresh Monitoring on Kubernetes using Prometheus - Chandresh
Monitoring on Kubernetes using Prometheus - Chandresh
 
Containers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes IstioContainers Docker Kind Kubernetes Istio
Containers Docker Kind Kubernetes Istio
 
Kubernetes Architecture - beyond a black box - Part 1
Kubernetes Architecture - beyond a black box - Part 1Kubernetes Architecture - beyond a black box - Part 1
Kubernetes Architecture - beyond a black box - Part 1
 
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWS
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWSServerless Architectural Patterns 
and Best Practices - Madhu Shekar - AWS
Serverless Architectural Patterns 
and Best Practices - Madhu Shekar - AWS
 
Kubernetes best practices
Kubernetes best practicesKubernetes best practices
Kubernetes best practices
 
DCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and ArchitectureDCEU 18: Docker Enterprise Platform and Architecture
DCEU 18: Docker Enterprise Platform and Architecture
 
Production ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetesProduction ready tooling for microservices on kubernetes
Production ready tooling for microservices on kubernetes
 
Kubernetes for Serverless - Serverless Summit 2017 - Krishna Kumar
Kubernetes for Serverless - Serverless Summit 2017 - Krishna KumarKubernetes for Serverless - Serverless Summit 2017 - Krishna Kumar
Kubernetes for Serverless - Serverless Summit 2017 - Krishna Kumar
 
Play Support in Cloud Foundry
Play Support in Cloud FoundryPlay Support in Cloud Foundry
Play Support in Cloud Foundry
 
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
DCEU 18: Use Cases and Practical Solutions for Docker Container Storage on Sw...
 
Infrastructure as code
Infrastructure as codeInfrastructure as code
Infrastructure as code
 
DCEU 18: Docker Container Networking
DCEU 18: Docker Container NetworkingDCEU 18: Docker Container Networking
DCEU 18: Docker Container Networking
 
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
A Hitchhiker’s Guide to the Cloud Native Stack. #CDS17
 
Azure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challengesAzure Kubernetes Service - benefits and challenges
Azure Kubernetes Service - benefits and challenges
 
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
Luca Relandini - Microservices and containers networking: Contiv, deep dive a...
 
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...
DCEU 18: From Legacy Mainframe to the Cloud: The Finnish Railways Evolution w...
 
Docker on AWS - the Right Way
Docker on AWS - the Right WayDocker on AWS - the Right Way
Docker on AWS - the Right Way
 

Similar to Securing Containers - Sathyajit Bhat - Adobe - Container Conference 18

Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For DevelopmentLaura Frank Tacho
 
Using Databases and Containers From Development to Deployment
Using Databases and Containers From Development to DeploymentUsing Databases and Containers From Development to Deployment
Using Databases and Containers From Development to DeploymentAerospike, Inc.
 
Master your java_applications_in_kubernetes
Master your java_applications_in_kubernetesMaster your java_applications_in_kubernetes
Master your java_applications_in_kubernetesAndy Moncsek
 
PHPアプリケーションのコンテナ化入門
PHPアプリケーションのコンテナ化入門PHPアプリケーションのコンテナ化入門
PHPアプリケーションのコンテナ化入門Amazon Web Services Japan
 
Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...
Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...
Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...Amazon Web Services
 
Breaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfBreaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfAmazon Web Services
 
Cloud Community Engineering - Holiday readiness
Cloud Community Engineering - Holiday readinessCloud Community Engineering - Holiday readiness
Cloud Community Engineering - Holiday readinessOleg Posyniak
 
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트Amazon Web Services Korea
 
Breaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfBreaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfAmazon Web Services
 
Oracle Database 18c Docker.pdf
Oracle Database 18c Docker.pdfOracle Database 18c Docker.pdf
Oracle Database 18c Docker.pdfYossi Nixon
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAndrew Khoury
 
01282016 Aerospike-Docker webinar
01282016 Aerospike-Docker webinar01282016 Aerospike-Docker webinar
01282016 Aerospike-Docker webinarAerospike, Inc.
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelAmazon Web Services
 
EMC World 2016 - code.09 Introduction to the Docker Platform
EMC World 2016 - code.09 Introduction to the Docker PlatformEMC World 2016 - code.09 Introduction to the Docker Platform
EMC World 2016 - code.09 Introduction to the Docker Platform{code}
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slidesDocker, Inc.
 
AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)
AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)
AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)Amazon Web Services Korea
 

Similar to Securing Containers - Sathyajit Bhat - Adobe - Container Conference 18 (20)

Securing containers
Securing containersSecuring containers
Securing containers
 
Using Docker For Development
Using Docker For DevelopmentUsing Docker For Development
Using Docker For Development
 
SD Times - Docker v2
SD Times - Docker v2SD Times - Docker v2
SD Times - Docker v2
 
Using Databases and Containers From Development to Deployment
Using Databases and Containers From Development to DeploymentUsing Databases and Containers From Development to Deployment
Using Databases and Containers From Development to Deployment
 
Master your java_applications_in_kubernetes
Master your java_applications_in_kubernetesMaster your java_applications_in_kubernetes
Master your java_applications_in_kubernetes
 
Before & After Docker Init
Before & After Docker InitBefore & After Docker Init
Before & After Docker Init
 
PHPアプリケーションのコンテナ化入門
PHPアプリケーションのコンテナ化入門PHPアプリケーションのコンテナ化入門
PHPアプリケーションのコンテナ化入門
 
Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...
Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...
Mythical Mysfits: Monolith to Microservice with Docker and AWS Fargate (CON21...
 
Set up a Development Environment in 5 Minutes
Set up a Development Environment in 5 MinutesSet up a Development Environment in 5 Minutes
Set up a Development Environment in 5 Minutes
 
Breaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfBreaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdf
 
Cloud Community Engineering - Holiday readiness
Cloud Community Engineering - Holiday readinessCloud Community Engineering - Holiday readiness
Cloud Community Engineering - Holiday readiness
 
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
K8s, Amazon EKS - 유재석, AWS 솔루션즈 아키텍트
 
Breaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdfBreaking the Monolith road to containers.pdf
Breaking the Monolith road to containers.pdf
 
Oracle Database 18c Docker.pdf
Oracle Database 18c Docker.pdfOracle Database 18c Docker.pdf
Oracle Database 18c Docker.pdf
 
AEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser CachingAEM (CQ) Dispatcher Security and CDN+Browser Caching
AEM (CQ) Dispatcher Security and CDN+Browser Caching
 
01282016 Aerospike-Docker webinar
01282016 Aerospike-Docker webinar01282016 Aerospike-Docker webinar
01282016 Aerospike-Docker webinar
 
Introduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day IsraelIntroduction To Containers - Builders Day Israel
Introduction To Containers - Builders Day Israel
 
EMC World 2016 - code.09 Introduction to the Docker Platform
EMC World 2016 - code.09 Introduction to the Docker PlatformEMC World 2016 - code.09 Introduction to the Docker Platform
EMC World 2016 - code.09 Introduction to the Docker Platform
 
Docker Security workshop slides
Docker Security workshop slidesDocker Security workshop slides
Docker Security workshop slides
 
AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)
AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)
AWS Container Services – 유재석 (AWS 솔루션즈 아키텍트)
 

More from CodeOps Technologies LLP

AWS Serverless Event-driven Architecture - in lastminute.com meetup
AWS Serverless Event-driven Architecture - in lastminute.com meetupAWS Serverless Event-driven Architecture - in lastminute.com meetup
AWS Serverless Event-driven Architecture - in lastminute.com meetupCodeOps Technologies LLP
 
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONS
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONSBUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONS
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONSCodeOps Technologies LLP
 
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICES
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICESAPPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICES
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICESCodeOps Technologies LLP
 
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPS
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPSBUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPS
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPSCodeOps Technologies LLP
 
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNER
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNERCREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNER
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNERCodeOps Technologies LLP
 
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...CodeOps Technologies LLP
 
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESS
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESSWRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESS
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESSCodeOps Technologies LLP
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaTraining And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaCodeOps Technologies LLP
 
Deploy Microservices To Kubernetes Without Secrets by Reenu Saluja
Deploy Microservices To Kubernetes Without Secrets by Reenu SalujaDeploy Microservices To Kubernetes Without Secrets by Reenu Saluja
Deploy Microservices To Kubernetes Without Secrets by Reenu SalujaCodeOps Technologies LLP
 
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...CodeOps Technologies LLP
 
YAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra KhareYAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra KhareCodeOps Technologies LLP
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...CodeOps Technologies LLP
 
Monitor Azure Kubernetes Cluster With Prometheus by Mamta Jha
Monitor Azure Kubernetes Cluster With Prometheus by Mamta JhaMonitor Azure Kubernetes Cluster With Prometheus by Mamta Jha
Monitor Azure Kubernetes Cluster With Prometheus by Mamta JhaCodeOps Technologies LLP
 
Functional Programming in Java 8 - Lambdas and Streams
Functional Programming in Java 8 - Lambdas and StreamsFunctional Programming in Java 8 - Lambdas and Streams
Functional Programming in Java 8 - Lambdas and StreamsCodeOps Technologies LLP
 
Distributed Tracing: New DevOps Foundation
Distributed Tracing: New DevOps FoundationDistributed Tracing: New DevOps Foundation
Distributed Tracing: New DevOps FoundationCodeOps Technologies LLP
 
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire "Distributed Tracing: New DevOps Foundation" by Jayesh Ahire
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire CodeOps Technologies LLP
 

More from CodeOps Technologies LLP (20)

AWS Serverless Event-driven Architecture - in lastminute.com meetup
AWS Serverless Event-driven Architecture - in lastminute.com meetupAWS Serverless Event-driven Architecture - in lastminute.com meetup
AWS Serverless Event-driven Architecture - in lastminute.com meetup
 
Understanding azure batch service
Understanding azure batch serviceUnderstanding azure batch service
Understanding azure batch service
 
DEVOPS AND MACHINE LEARNING
DEVOPS AND MACHINE LEARNINGDEVOPS AND MACHINE LEARNING
DEVOPS AND MACHINE LEARNING
 
SERVERLESS MIDDLEWARE IN AZURE FUNCTIONS
SERVERLESS MIDDLEWARE IN AZURE FUNCTIONSSERVERLESS MIDDLEWARE IN AZURE FUNCTIONS
SERVERLESS MIDDLEWARE IN AZURE FUNCTIONS
 
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONS
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONSBUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONS
BUILDING SERVERLESS SOLUTIONS WITH AZURE FUNCTIONS
 
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICES
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICESAPPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICES
APPLYING DEVOPS STRATEGIES ON SCALE USING AZURE DEVOPS SERVICES
 
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPS
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPSBUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPS
BUILD, TEST & DEPLOY .NET CORE APPS IN AZURE DEVOPS
 
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNER
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNERCREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNER
CREATE RELIABLE AND LOW-CODE APPLICATION IN SERVERLESS MANNER
 
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...
CREATING REAL TIME DASHBOARD WITH BLAZOR, AZURE FUNCTION COSMOS DB AN AZURE S...
 
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESS
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESSWRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESS
WRITE SCALABLE COMMUNICATION APPLICATION WITH POWER OF SERVERLESS
 
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh SharmaTraining And Serving ML Model Using Kubeflow by Jayesh Sharma
Training And Serving ML Model Using Kubeflow by Jayesh Sharma
 
Deploy Microservices To Kubernetes Without Secrets by Reenu Saluja
Deploy Microservices To Kubernetes Without Secrets by Reenu SalujaDeploy Microservices To Kubernetes Without Secrets by Reenu Saluja
Deploy Microservices To Kubernetes Without Secrets by Reenu Saluja
 
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...
Leverage Azure Tech stack for any Kubernetes cluster via Azure Arc by Saiyam ...
 
YAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra KhareYAML Tips For Kubernetes by Neependra Khare
YAML Tips For Kubernetes by Neependra Khare
 
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
Must Know Azure Kubernetes Best Practices And Features For Better Resiliency ...
 
Monitor Azure Kubernetes Cluster With Prometheus by Mamta Jha
Monitor Azure Kubernetes Cluster With Prometheus by Mamta JhaMonitor Azure Kubernetes Cluster With Prometheus by Mamta Jha
Monitor Azure Kubernetes Cluster With Prometheus by Mamta Jha
 
Jet brains space intro presentation
Jet brains space intro presentationJet brains space intro presentation
Jet brains space intro presentation
 
Functional Programming in Java 8 - Lambdas and Streams
Functional Programming in Java 8 - Lambdas and StreamsFunctional Programming in Java 8 - Lambdas and Streams
Functional Programming in Java 8 - Lambdas and Streams
 
Distributed Tracing: New DevOps Foundation
Distributed Tracing: New DevOps FoundationDistributed Tracing: New DevOps Foundation
Distributed Tracing: New DevOps Foundation
 
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire "Distributed Tracing: New DevOps Foundation" by Jayesh Ahire
"Distributed Tracing: New DevOps Foundation" by Jayesh Ahire
 

Recently uploaded

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...Christina Lin
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024StefanoLambiase
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptkotipi9215
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...OnePlan Solutions
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - InfographicHr365.us smith
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureDinusha Kumarasiri
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfAlina Yurenko
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)OPEN KNOWLEDGE GmbH
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Andreas Granig
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxTier1 app
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...MyIntelliSource, Inc.
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio, Inc.
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackVICTOR MAESTRE RAMIREZ
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...gurkirankumar98700
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxnada99848
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWave PLM
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesPhilip Schwarz
 

Recently uploaded (20)

ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
ODSC - Batch to Stream workshop - integration of Apache Spark, Cassandra, Pos...
 
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
Dealing with Cultural Dispersion — Stefano Lambiase — ICSE-SEIS 2024
 
chapter--4-software-project-planning.ppt
chapter--4-software-project-planning.pptchapter--4-software-project-planning.ppt
chapter--4-software-project-planning.ppt
 
Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...Advancing Engineering with AI through the Next Generation of Strategic Projec...
Advancing Engineering with AI through the Next Generation of Strategic Projec...
 
Asset Management Software - Infographic
Asset Management Software - InfographicAsset Management Software - Infographic
Asset Management Software - Infographic
 
Implementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with AzureImplementing Zero Trust strategy with Azure
Implementing Zero Trust strategy with Azure
 
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdfGOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
GOING AOT WITH GRAALVM – DEVOXX GREECE.pdf
 
Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)Der Spagat zwischen BIAS und FAIRNESS (2024)
Der Spagat zwischen BIAS und FAIRNESS (2024)
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024Automate your Kamailio Test Calls - Kamailio World 2024
Automate your Kamailio Test Calls - Kamailio World 2024
 
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptxKnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
KnowAPIs-UnknownPerf-jaxMainz-2024 (1).pptx
 
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
Call Girls In Mukherjee Nagar 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SE...
 
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
Steps To Getting Up And Running Quickly With MyTimeClock Employee Scheduling ...
 
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed DataAlluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
Alluxio Monthly Webinar | Cloud-Native Model Training on Distributed Data
 
Cloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStackCloud Management Software Platforms: OpenStack
Cloud Management Software Platforms: OpenStack
 
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
(Genuine) Escort Service Lucknow | Starting ₹,5K To @25k with A/C 🧑🏽‍❤️‍🧑🏻 89...
 
software engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptxsoftware engineering Chapter 5 System modeling.pptx
software engineering Chapter 5 System modeling.pptx
 
What is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need ItWhat is Fashion PLM and Why Do You Need It
What is Fashion PLM and Why Do You Need It
 
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort ServiceHot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
Hot Sexy call girls in Patel Nagar🔝 9953056974 🔝 escort Service
 
Folding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a seriesFolding Cheat Sheet #4 - fourth in a series
Folding Cheat Sheet #4 - fourth in a series
 

Securing Containers - Sathyajit Bhat - Adobe - Container Conference 18

  • 1. © 2018 Adobe Systems Incorporated. All Rights Reserved. Securing Containers Sathyajith Bhat | Senior DevOps Engineer – Adobe I/O
  • 2. © 2018 Adobe Systems Incorporated. All Rights Reserved. 2 $whoami § Sathyajith Bhat § Senior DevOps Engineer - Adobe I/O § Organizer, Bangalore AWS Users’ Group § Author - Practical Docker with Python
  • 3. © 2018 Adobe Systems Incorporated. All Rights Reserved. 3 Run this for me. sudo docker run -v /:/app sathyabhat/demo cat /tmp/demo.log
  • 4. © 2018 Adobe Systems Incorporated. All Rights Reserved. 4 Adobe I/O § Adobe I/O is the place for developers looking to integrate, extend, or create apps and experiences based on Adobe's products and technologies. § Adobe I/O API Gateway § A performant API Gateway based on Nginx and Openresty § 1.5 billion+ API calls per day § Adobe I/O Events § An event notification service to inform subscribing systems of near real-time events happening in Adobe services. § Adobe I/O Runtime § A serverless platform(currently in private beta) based on Apache OpenWhisk which allows a developer to execute code on Adobe's infrastructure.
  • 5. © 2018 Adobe Systems Incorporated. All Rights Reserved. Containers - How We Perceive 5 Photo Courtesy: Sam MacCutchan, Flickr
  • 6. © 2018 Adobe Systems Incorporated. All Rights Reserved. Containers - How They Tend to Be 6 Photo Courtesy: Kazuyoshi Kato, Flickr
  • 7. © 2018 Adobe Systems Incorporated. All Rights Reserved. Threats to Containers § From Docker Hosts § From noisy neighbours § From within containers § From external world § From within the application 7
  • 8. © 2018 Adobe Systems Incorporated. All Rights Reserved. Different mechanisms § Control Groups (cgroups) § Namespaces § Kernel Capabilities § Seccomp § Image Security § Vulnerability Scanning 8
  • 9. © 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups § Group, Limit & isolate resource utilization § Resources that can be controlled: CPU, Memory, Disk, Network § cgroups Docker uses: § Memory § HugeTBL § CPU § CPUSet § BlkIO § Devices § /sys/fs/cgroups 9
  • 10. © 2018 Adobe Systems Incorporated. All Rights Reserved. cgroups § Applying limits § docker run --cpus=”0.5” § docker run --cpu-shares=512 (weighted CPU distribution, default weight == 1024) § docker run --memory=2g § docker run --oom-kill-disable (!!) § docker run --device-read-iops § docker run --device-write-iops § Custom cgroup? § Yes! docker run --cgroup-parent 10
  • 11. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces § Abstraction which makes a process appear they are isolated § Controls what processes can see § Different types of namespaces: § Mount § PID § UTS § IPC § Network § User 11
  • 12. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces - User Namespace Remapping § Remap a user with a container to another user on the Host § Remap privileged user within container to non-privileged one outside host § Enabling remapping: § dockerd --userns-remap=”remap-user:remap-group” § Or, edit daemon.json { userns-remap: “remap-user” } 12
  • 13. © 2018 Adobe Systems Incorporated. All Rights Reserved. Namespaces - User Namespace Remapping Caveats § Ensure the users/groups are created & associated with your user § Enable/Disable it on a new Docker install than existing one § Can no longer user --pid=host or --network=host 13
  • 14. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp § Secure Mode Computing § Kernel feature, restricts syscalls that a process can do § Create custom profiles, pass a different profile for each container § Default seccomp policy for Docker § Disables 44 system calls of 300+ system calls 14
  • 15. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp Pre-requisites: § Check for kernel support § grep CONFIG_SECCOMP=/boot/config-$(uname -r) § Apply seccomp § docker run § ??? § Seccomp is applied by default! § Verify with docker info 15
  • 16. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp § Create custom profiles as json § docker run --security-opt seccomp=profile.json § How to find what syscalls are in place? § strace (Linux) § dtruss (macOS) 16
  • 17. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) cat seccomp-profile.json { "defaultAction": "SCMP_ACT_ALLOW", "syscalls": [ { "name": "chown", "action": "SCMP_ACT_ERRNO" }, { "name": "chmod", "action": "SCMP_ACT_ERRNO" } ] } 17
  • 18. © 2018 Adobe Systems Incorporated. All Rights Reserved. seccomp(demo) / # echo "rm -rf" > fluffy_kittens.sh / # chmod u+x fluffy_kittens.sh chmod: fluffy_kittens.sh: Operation not permitted 18
  • 19. © 2018 Adobe Systems Incorporated. All Rights Reserved. Kernel Capabilities § Drop unnecessary capabilities from the container § Alternatively, provide necessary ones § Don’t need chown capability? Drop it § docker run --cap-drop=chown 19
  • 20. © 2018 Adobe Systems Incorporated. All Rights Reserved. AppArmor § Mandatory Access Control § Why? § Unix permissions allow for R/W/X § No fine grained permissions § Why should your application look at other logs? § Docker expects AppArmor policies to be loaded on Docker host 20
  • 21. © 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities § Images are still software - and old, if not rebuilt § Heartbleed § Vulnerability in openSSL § Ghost § Vulnerability in glibc 21
  • 22. © 2018 Adobe Systems Incorporated. All Rights Reserved. Managing Vulnerabilities Vulnerability Scanners § Clair (CoreOS) § Twistlock § Aqua Container Security § Sysdig Falco 22
  • 23. © 2018 Adobe Systems Incorporated. All Rights Reserved. Trusted Images § Don’t use images blindly § Host the images in private/self-hosted registry § Publishing to Docker Hub? Enable Docker Content Trust 23
  • 24. © 2018 Adobe Systems Incorporated. All Rights Reserved. Docker Content Trust § Enable content trust § export DOCKER_CONTENT_TRUST=1 § Images must have content signatures § Trust is managed by use of signing keys § Offline key: Root of content trust § Repository key for signing tags § Server managed Timestamp key 24
  • 25. © 2018 Adobe Systems Incorporated. All Rights Reserved. References § Kernel Capabilities § Tutorial on Creating AppArmor Profiles § Docker Security Docs § Sysadmin Casts - Linux Control Groups § Searchable Syscall Table § Google Chrome Seccomp Sandbox Implementation Doc § User Namespaces in Docker Engine 25
  • 26. © 2018 Adobe Systems Incorporated. All Rights Reserved. Thanks! § Twitter - sathyabhat § Email: sabhat@adobe.com § https://www.adobe.io | @adobeio 26