SlideShare a Scribd company logo
#ContainerDayFR
Security in a Containerized World
#ContainerDayFRParis Container Day 2017
Jessie Frazelle
Software Engineer
Googler.
I have contributed to many open source projects
including Docker, Go, Kubernetes, Runc, & the
Linux kernel.
Focus on runtime security for containers.
Security in a Containerized World
2
#ContainerDayFRParis Container Day 2017
A brief history of containers and Paris...
Security in a Containerized World
3
#ContainerDayFRParis Container Day 2017
A brief history of containers and Paris...
Paris is the true home of containers.
Security in a Containerized World
4
Paris Container Day 2017 #ContainerDayFR
Security in a Containerized World
5
Paris Container Day 2017 #ContainerDayFR
Security in a Containerized World
6
#ContainerDayFR
Security in a Containerized World
7
Security Models
#ContainerDayFRParis Container Day 2017
Security Model: Stages
Security in a Containerized World
8
Single tenant,
multi-identities
Multi-user, but no hard
enforcement. Still have to
treat as one trust boundary
Cooperative soft
multi-tenancy
Multi-user, fine grained
authorization. Possibly not
fully-hardened
Often good enough for
multi-tenancy inside single
company (can fire bad
actors)
Hard multi-tenancy
Multi-tenant security
boundaries more strongly
enforced
Better resource isolation
E.g. comfortable running
code from multiple
third-parties on the same
cluster
Kubernetes 1.6+ Long term goal
#ContainerDayFRParis Container Day 2017
Project/Cluster as Boundary
Security in a Containerized World
9
Authorization permissions
granted at project/cluster level
All nodes have same
authenticated identity
All pods have same
authorization permissions
All pods have full network access
my-project/my-cluster
node-1 node-2 node-3
team1-fe team1-fe
team1-db team1-db
team2-fe team2-fe
team2-db team2-db
#ContainerDayFRParis Container Day 2017
Namespace/Pod as a Boundary
Security in a Containerized World
10
my-cluster
node-1 node-2 node-3
Authorization permissions
granted at
namespace/resource level
Nodes have individual
identities w/ per-node
permissions
Pods have identity with
fine-grained permissions
Pods network access can be
limited to what’s necessary
team1-fe team1-fe
team1-db team1-db
team2-fe team2-fe
team2-db team2-db
team1-namespace
team2-namespace
#ContainerDayFRParis Container Day 2017
Namespace/Pod as a Boundary
Security in a Containerized World
11
Authorization permissions granted at
namespace/resource level
Nodes have individual identities w/
per-node permissions
Pods have identity with fine-grained
permissions
Pods network access can be limited to
what’s necessary
Per-namespace/per-resource permissions
Move from: Everything has root-in-cluster.
To: Users, system have least privilege.
Examples:
● Alice can list Eng services, but not HR
● Bob can create Pods in Test namespace, not Prod
● Scheduler can read Pods but not Secrets
#ContainerDayFRParis Container Day 2017
Namespace/Pod as a Boundary
Security in a Containerized World
12
Authorization permissions granted at
namespace/resource level
Nodes have individual identities w/
per-node permissions
Pods have identity with fine-grained
permissions
Pods network access can be limited to
what’s necessary
Per-node identity & permissions
Move from: All nodes have vast permissions.
To: Each node has least privilege.
Examples:
● Node can only get info about Pods scheduled on it
● Compromised node doesn’t allow additional
escalation through Kubernetes API
#ContainerDayFRParis Container Day 2017
Namespace/Pod as a Boundary
Security in a Containerized World
13
Authorization permissions granted at
namespace/resource level
Nodes have individual identities w/
per-node permissions
Pods have identity with fine-grained
permissions
Pods network access can be limited to
what’s necessary
Pod identity & permissions
Move from: Running workloads have full system
access by default.
To: Workloads must be granted permissions.
Example:
● Running workload can list other objects in its
namespace, but not outside of it
#ContainerDayFRParis Container Day 2017
Namespace/Pod as a Boundary
Security in a Containerized World
14
Authorization permissions granted at
namespace/resource level
Nodes have individual identities w/
per-node permissions
Pods have identity with fine-grained
permissions
Pods network access can be limited to
what’s necessary
Network policy
Move From: All workloads receive traffic from
anywhere on the network.
To: Network connectivity is controllable by policy.
Example:
● Frontend layer can only communicate with
application layer, not other frontends.
#ContainerDayFR
Security in a Containerized World
15
Runtime Security
#ContainerDayFRParis Container Day 2017
What is a sandbox?
Security in a Containerized World
16
#ContainerDayFRParis Container Day 2017
What is a sandbox?
Provides a net reduction in attack surface.
Security in a Containerized World
17
#ContainerDayFRParis Container Day 2017
What is a sandbox?
Compare code execution from inside and outside the
sandbox...
Security in a Containerized World
18
#ContainerDayFRParis Container Day 2017
What is a sandbox?
Compare code execution from inside and outside the
sandbox…
Are more or less things possible now?
Security in a Containerized World
19
#ContainerDayFRParis Container Day 2017
Chrome Sandbox
Security in a Containerized World
20
#ContainerDayFRParis Container Day 2017
Chrome Sandbox
Each tab gets its own pid namespace.
Security in a Containerized World
21
#ContainerDayFRParis Container Day 2017
Chrome Sandbox
Each tab gets its own pid namespace.
What’s a pid namespace?
Security in a Containerized World
22
#ContainerDayFRParis Container Day 2017
Chrome Sandbox
Each tab gets its own pid namespace.
What’s a pid namespace?
Used to isolate the process ID number space.
Security in a Containerized World
23
#ContainerDayFRParis Container Day 2017
Chrome Sandbox
Uses
unprivileged user namespaces
and
network namespaces.
Security in a Containerized World
24
#ContainerDayFRParis Container Day 2017
Chrome Sandbox
Uses Seccomp-BPF
Security in a Containerized World
25
#ContainerDayFRParis Container Day 2017
What is Seccomp?
SECure COMPuting with filters.
Security in a Containerized World
26
#ContainerDayFRParis Container Day 2017
What is Seccomp?
SECure COMPuting with filters.
Allows developers to write BPF programs that
determine whether a given system call will be
allowed or not.
Security in a Containerized World
27
#ContainerDayFRParis Container Day 2017
What is Seccomp?
What is BPF?
Security in a Containerized World
28
#ContainerDayFRParis Container Day 2017
What is Seccomp?
What is BPF?
Berkeley Packet Filter
In-kernel bytecode machine that is used for tracing,
virtual networks, seccomp… and more.
Security in a Containerized World
29
#ContainerDayFRParis Container Day 2017
Let’s apply these same principles
Security in a Containerized World
30
to containers...
#ContainerDayFRParis Container Day 2017
What is a container?
Control what a process can see.
● PID
● Mount
● Network
● UTS
● IPC
● User
● Cgroup
Security in a Containerized World
31
Namespaces
#ContainerDayFRParis Container Day 2017
What is a container?
Control what a process can use.
● Memory
● CPU
● Blkio
● Cpuacct
● Cpuset
● Devices
● Net_prio
● Freezer
Security in a Containerized World
32
Cgroups
#ContainerDayFRParis Container Day 2017
Linux Security Module can control and audit various
process actions such as file (read, write, execute, etc)
and system functions
(mount, network tcp, etc)
AppArmor
Security in a Containerized World
33
AppArmor
#ContainerDayFRParis Container Day 2017
AppArmor
Sane defaults
- Preventing writing to /proc/{num}, /proc/sys,
/sys
- Preventing mount
Security in a Containerized World
34
in Docker
#ContainerDayFRParis Container Day 2017
AppArmor
Getting towards sane defaults
- Preventing writing to
/proc/{num}, /proc/sys, /sys
- Preventing mount
Security in a Containerized World
35
in Kubernetes
apiVersion: v1
kind: Pod
metadata:
name: hello-nginx
annotations:
container.apparmor.security.beta.kuberne
tes.io/nginx: runtime/default
spec:
containers:
- name: nginx
image: nginx
command: ["nginx", "-g", "daemon off;"]
#ContainerDayFRParis Container Day 2017
Syscall filters allow an application to define what
syscalls it allows or denies.
Seccomp
Security in a Containerized World
36
AppArmor
Seccomp
#ContainerDayFRParis Container Day 2017
Seccomp
Docker's default seccomp profile is a whitelist
which specifies the calls that are allowed.
Security in a Containerized World
37
in Docker
#ContainerDayFRParis Container Day 2017
Seccomp
Docker's default seccomp profile is a whitelist
which specifies the calls that are allowed.
It blocks a bunch of bad stuff… not limited to the
following...
Security in a Containerized World
38
in Docker
#ContainerDayFRParis Container Day 2017
Seccomp
add_key, keyctl, request_key
Prevent containers from using the kernel keyring,
which is not namespaced.
Security in a Containerized World
39
in Docker
#ContainerDayFRParis Container Day 2017
Seccomp
clone, unshare
Deny cloning/unsharing new namespaces.
Also gated by CAP_SYS_ADMIN for CLONE_*
flags,
except CLONE_USERNS, which has a history of
vulns
Security in a Containerized World
40
in Docker
#ContainerDayFRParis Container Day 2017
Seccomp
Pushing towards sane defaults
- Whitelist
- Prevent cloning new unprivileged
user namespaces (has a high rate
of past CVEs)
- Prevent ~150 other syscalls
which are uncommon or
dangerous
Security in a Containerized World
41
in Kubernetes
apiVersion: v1
kind: Pod
metadata:
name: hello-nginx
annotations:
container.seccomp.security.alpha.kuberne
tes.io/nginx: docker/default
spec:
containers:
- name: nginx
image: nginx
command: ["nginx", "-g", "daemon off;"]
#ContainerDayFRParis Container Day 2017
Provides a mechanism for supporting access control
security policies, including mandatory access
controls.
Controls over file systems, directories, files, and open
file descriptors.
Controls individual labels and controls for kernel
objects and services.
SELinux
Security in a Containerized World
42
AppArmor
Seccomp
SELinux
#ContainerDayFRParis Container Day 2017
SELinux
Labeling systems like SELinux require that proper
labels are placed on volume content mounted into
a container.
Without a label, the security system might prevent
the processes running inside the container from
using the content.
Allows relabeling file objects on Docker volumes.
Security in a Containerized World
43
in Docker
#ContainerDayFRParis Container Day 2017
SELinux
SELinux Policy for docker daemon.
Security in a Containerized World
44
in Docker
#ContainerDayFRParis Container Day 2017
SELinux
Apply SELinux labels to volumes.
Security in a Containerized World
45
in Kubernetes
apiVersion: v1
kind: Pod
metadata:
name: hello-nginx
spec:
containers:
- name: nginx
image: nginx
command: ["nginx", "-g", "daemon off;"]
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
...
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes: ...
#ContainerDayFRParis Container Day 2017
A Linux flag (no_new_privs) that’s carried over `fork`,
`clone`, and `execve` to prevent new privileges from
being added to a process.
No New Privileges
Security in a Containerized World
46
AppArmor
Seccomp
SELinux
No new
privs
#ContainerDayFRParis Container Day 2017
No New Privileges
Not applied by default unless set by the Docker
daemon.
Security in a Containerized World
47
in Docker
#ContainerDayFRParis Container Day 2017
No New Privileges
On by default for all containers
without breaking setuid binaries.
Security in a Containerized World
48
in Kubernetes
#ContainerDayFRParis Container Day 2017
RunAsNonRoot: Set containers to only run as a
non-root user
Security Context
Security in a Containerized World
49
in Kubernetes
#ContainerDayFRParis Container Day 2017
RunAsNonRoot: Set containers to only run as a
non-root user
ReadOnlyRootFilesystem: Set container
filesystem as read-only
Security Context
Security in a Containerized World
50
in Kubernetes
#ContainerDayFRParis Container Day 2017
RunAsNonRoot: Set containers to only run as a
non-root user
ReadOnlyRootFilesystem: Set container
filesystem as read-only
Capabilities: Set containers to run with specific
Capabilities
Security Context
Security in a Containerized World
51
in Kubernetes
#ContainerDayFRParis Container Day 2017
RunAsNonRoot
Set containers to only run as a
non-root user
Security in a Containerized World
52
Security Context in Kubernetes
apiVersion: v1
kind: Pod
metadata:
name: hello-nginx
spec:
containers:
- name: nginx
image: nginx
command: ["nginx", "-g", "daemon off;"]
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
...
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes: ...
#ContainerDayFRParis Container Day 2017
ReadOnlyRootFilesystem
Set container filesystem as read-only
Security in a Containerized World
53
Security Context in Kubernetes
apiVersion: v1
kind: Pod
metadata:
name: hello-nginx
spec:
containers:
- name: nginx
image: nginx
command: ["nginx", "-g", "daemon off;"]
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
...
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes: ...
#ContainerDayFRParis Container Day 2017
Capabilities
Set containers to run with specific
Capabilities
Security in a Containerized World
54
Security Context in Kubernetes
apiVersion: v1
kind: Pod
metadata:
name: hello-nginx
spec:
containers:
- name: nginx
image: nginx
command: ["nginx", "-g", "daemon off;"]
securityContext:
capabilities:
drop:
- NET_RAW
volumeMounts:
...
securityContext:
seLinuxOptions:
level: "s0:c123,c456"
readOnlyRootFilesystem: true
runAsNonRoot: true
volumes: ...
#ContainerDayFRParis Container Day 2017
A Pod Security Policy is a cluster-level resource
that controls the actions that a pod can perform
and what it has the ability to access.
The PodSecurityPolicy objects define a set of
conditions that a pod must run with in order to be
accepted into the system.
Pod Security Policy
Security in a Containerized World
55
in Kubernetes
#ContainerDayFRParis Container Day 2017
Privileged
Allows or denies running of privileged
containers.
Default deny.
Security in a Containerized World
56
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
defaultAddCapabilities
Default set of capabilities that will be
added to a container.
Security in a Containerized World
57
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
defaultAddCapabilities:
- ‘CAP_AUDIT_WRITE’
- ‘CAP_KILL’
- ‘CAP_NET_BIND_SERVICE’
fsGroup:
rule: RunAsAny
hostPorts:
min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
requiredDropCapabilities
Capabilities that will be dropped from
a container.
Security in a Containerized World
58
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
requiredDropCapabilities:
- ‘CAP_NEW_RAW’
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
allowedCapabilities
Capabilities a container can request
to be added.
Security in a Containerized World
59
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
allowedCapabilities:
- ‘CAP_NEW_ADMIN’
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
volumes
Controls the usage of volume types,
defines which ones are allowed.
Security in a Containerized World
60
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
min: 8000
max: 8080
volumes:
- 'hostPath'
- ‘gcePersistentDisk’
#ContainerDayFRParis Container Day 2017
hostPorts
Controls the use of host ports, defines
an allowed range.
Default empty.
List of HostPortRange, defined by
min (inclusive) and max (inclusive),
which define the allowed host ports.
Security in a Containerized World
61
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
hostPID
Allows or denies the use of host’s PID
namespace.
Default deny.
Security in a Containerized World
62
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
hostPID: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
- min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
hostIPC
Allows or denies the use of host’s IPC
namespace.
Default deny.
Security in a Containerized World
63
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
hostPID: false
hostIPC: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
- min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
seLinux
MustRunAs: Requires
seLinuxOptions to be configured if
not using pre-allocated values. Uses
seLinuxOptions as the default.
Validates against seLinuxOptions.
RunAsAny: No default provided.
Allows any seLinuxOptions to be
specified.
Security in a Containerized World
64
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
- min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
runAsUser
MustRunAs: Requires a range to be
configured. Uses the first value of the
range as the default. Validates against the
range.
MustRunAsNonRoot: Requires that the
pod be submitted with a non-zero
runAsUseror have the USER directive
defined in the image.
RunAsAny: No default provided. Allows
any runAsUserto be specified.
Security in a Containerized World
65
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: MustRunAsNonRoot
fsGroup:
rule: RunAsAny
hostPorts:
- min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
supplementalGroups
MustRunAs: Requires at least one
range to be specified. Uses the
minimum value of the first range as
the default. Validates against all
ranges.
RunAsAny: No default provided.
Allows any supplementalGroups
to be specified.
Security in a Containerized World
66
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
- min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
fsGroup
MustRunAs: Requires at least one
range to be specified. Uses the
minimum value of the first range as
the default. Validates against the first
ID in the first range.
RunAsAny: No default provided.
Allows any fsGroup ID to be
specified.
Security in a Containerized World
67
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
- min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFRParis Container Day 2017
readOnlyRootFilesystem
Requiring the use of a read only root
file system.
Security in a Containerized World
68
Pod Security Policy in Kubernetes
apiVersion: extensions/v1beta1
kind: PodSecurityPolicy
metadata:
name: restrictive
spec:
privileged: false
readOnlyRootFilesystem: true
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
runAsUser:
rule: RunAsAny
fsGroup:
rule: RunAsAny
hostPorts:
- min: 8000
max: 8080
volumes:
- '*'
#ContainerDayFR
Security in a Containerized World
69
Network Policies
#ContainerDayFRParis Container Day 2017
Security in a Containerized World
70
Network Policies
my-cluster
node-1 node-2 node-3
pod pod
pod pod
pod pod
pod pod
team1-namespace
team2-namespace
Behavior without a network
policy.
Everything can talk to
everything.
#ContainerDayFRParis Container Day 2017
Security in a Containerized World
71
Network Policies
my-cluster
node-1 node-2 node-3
pod pod
pod pod
pod pod
pod pod
team1-namespace
team2-namespace
Network Isolation with
DefaultDeny
Explicitly define
communication between
pods as a whitelist
#ContainerDayFRParis Container Day 2017
Security in a Containerized World
72
Network Policies
Network Isolation with
DefaultDeny
Explicitly define
communication between
pods as a whitelist
my-cluster
node-1 node-2 node-3
pod pod
pod pod
pod pod
pod pod
team1-namespace
team2-namespace
#ContainerDayFRParis Container Day 2017
Network Policy
Setting DefaultDeny for a
namespace.
Security in a Containerized World
73
in Kubernetes
kind: Namespace
apiVersion: v1
metadata:
name: my-namespace
metadata:
annotations:
net.beta.kubernetes.io/network-policy: |
{
"ingress": {
"isolation": "DefaultDeny"
}
}
#ContainerDayFRParis Container Day 2017
Network Policy
Explicitly define communication
between pods.
Security in a Containerized World
74
in Kubernetes
apiVersion: extensions/v1beta1
kind: NetworkPolicy
metadata:
name: my-network-policy
namespace: my-namespace
spec:
podSelector:
matchLabels:
role: db
ingress:
- from:
- namespaceSelector:
matchLabels:
project: myproject
- podSelector:
matchLabels:
role: frontend
ports:
- protocol: tcp
port: 6379
#ContainerDayFRParis Container Day 2017
Thank you!
@jessfraz
Security in a Containerized World
75

More Related Content

What's hot

桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作
Philip Zheng
 
手把手帶你學 Docker 入門篇
手把手帶你學 Docker 入門篇手把手帶你學 Docker 入門篇
手把手帶你學 Docker 入門篇
Philip Zheng
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
Ladislav Prskavec
 
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてKubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
LINE Corporation
 
容器與資料科學應用
容器與資料科學應用容器與資料科學應用
容器與資料科學應用
Philip Zheng
 
Docker研習營
Docker研習營Docker研習營
Docker研習營
Philip Zheng
 
猿でもわかる Helm
猿でもわかる Helm猿でもわかる Helm
猿でもわかる Helm
Tsuyoshi Miyake
 
高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ
高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ
高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ
Junpei Nomura
 
From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016
Chris Tankersley
 
容器與IoT端點應用
容器與IoT端點應用容器與IoT端點應用
容器與IoT端點應用
Philip Zheng
 
Living the Nomadic life - Nic Jackson
Living the Nomadic life - Nic JacksonLiving the Nomadic life - Nic Jackson
Living the Nomadic life - Nic Jackson
Paris Container Day
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
Akihiro Suda
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018
Phil Estes
 
Comparing Next-Generation Container Image Building Tools
 Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
Akihiro Suda
 
Docker basic on azure
Docker basic on azureDocker basic on azure
Docker basic on azure
Philip Zheng
 
An Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesAn Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open Communities
Phil Estes
 
Docker 進階實務班
Docker 進階實務班Docker 進階實務班
Docker 進階實務班
Philip Zheng
 
OpenStack for Telco Cloud
OpenStack for Telco CloudOpenStack for Telco Cloud
OpenStack for Telco Cloud
strikr .
 
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
Docker, Inc.
 

What's hot (20)

桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作桃園市教育局Docker技術入門與實作
桃園市教育局Docker技術入門與實作
 
手把手帶你學 Docker 入門篇
手把手帶你學 Docker 入門篇手把手帶你學 Docker 入門篇
手把手帶你學 Docker 入門篇
 
How to easy deploy app into any cloud
How to easy deploy app into any cloudHow to easy deploy app into any cloud
How to easy deploy app into any cloud
 
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd についてKubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
Kubernetes上で動作する機械学習モジュールの配信&管理基盤Rekcurd について
 
容器與資料科學應用
容器與資料科學應用容器與資料科學應用
容器與資料科學應用
 
Docker研習營
Docker研習營Docker研習營
Docker研習營
 
猿でもわかる Helm
猿でもわかる Helm猿でもわかる Helm
猿でもわかる Helm
 
高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ
高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ
高レイテンシwebサーバのGKE構築と beta機能アレコレのハナシ
 
From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016From Docker to Production - ZendCon 2016
From Docker to Production - ZendCon 2016
 
容器與IoT端點應用
容器與IoT端點應用容器與IoT端點應用
容器與IoT端點應用
 
Living the Nomadic life - Nic Jackson
Living the Nomadic life - Nic JacksonLiving the Nomadic life - Nic Jackson
Living the Nomadic life - Nic Jackson
 
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui... [KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
[KubeConUS2019 Docker, Inc. Booth] Distributed Builds on Kubernetes with Bui...
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
 
Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018Containerd Project Update: FOSDEM 2018
Containerd Project Update: FOSDEM 2018
 
Comparing Next-Generation Container Image Building Tools
 Comparing Next-Generation Container Image Building Tools Comparing Next-Generation Container Image Building Tools
Comparing Next-Generation Container Image Building Tools
 
Docker basic on azure
Docker basic on azureDocker basic on azure
Docker basic on azure
 
An Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open CommunitiesAn Open Source Story: Open Containers & Open Communities
An Open Source Story: Open Containers & Open Communities
 
Docker 進階實務班
Docker 進階實務班Docker 進階實務班
Docker 進階實務班
 
OpenStack for Telco Cloud
OpenStack for Telco CloudOpenStack for Telco Cloud
OpenStack for Telco Cloud
 
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaSDockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
DockerCon EU 2015: The Glue is the Hard Part: Making a Production-Ready PaaS
 

Similar to Security in a containerized world - Jessie Frazelle

PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdf
AvinashDesireddy
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security Workshop
Mirantis
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quicklyDockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
Eric Smalling
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
AppDynamics
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes
GlobalLogic Ukraine
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
Michael Ducy
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
Thomas Fricke
 
Fandogh Cloud workshop slides
Fandogh Cloud workshop slides Fandogh Cloud workshop slides
Fandogh Cloud workshop slides
ssarabadani
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Walid Shaari
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
Walid Shaari
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
Ching-Hsuan Yen
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
sparkfabrik
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
ArangoDB Database
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
Cloud Technology Experts
 
stackconf 2020 | SecDevOps containers by Jose Ortega
stackconf 2020 | SecDevOps containers by Jose Ortegastackconf 2020 | SecDevOps containers by Jose Ortega
stackconf 2020 | SecDevOps containers by Jose Ortega
NETWAYS
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
Jose Manuel Ortega Candel
 

Similar to Security in a containerized world - Jessie Frazelle (20)

PRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdfPRO TALK - Kubernetes Security Workshop.pdf
PRO TALK - Kubernetes Security Workshop.pdf
 
Kubernetes Security Workshop
Kubernetes Security WorkshopKubernetes Security Workshop
Kubernetes Security Workshop
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
 
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quicklyDockerCon 2022 - From legacy to Kubernetes, securely & quickly
DockerCon 2022 - From legacy to Kubernetes, securely & quickly
 
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
Getting More Out of the Node.js, PHP, and Python Agents - AppSphere16
 
Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3Digital Forensics and Incident Response in The Cloud Part 3
Digital Forensics and Incident Response in The Cloud Part 3
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
 
[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes[Global logic] container runtimes and kubernetes
[Global logic] container runtimes and kubernetes
 
Securing your Container Environment with Open Source
Securing your Container Environment with Open SourceSecuring your Container Environment with Open Source
Securing your Container Environment with Open Source
 
Kubernetes security
Kubernetes securityKubernetes security
Kubernetes security
 
Fandogh Cloud workshop slides
Fandogh Cloud workshop slides Fandogh Cloud workshop slides
Fandogh Cloud workshop slides
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
IAU workshop 2018 day one
IAU workshop 2018 day oneIAU workshop 2018 day one
IAU workshop 2018 day one
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
gVisor, Kata Containers, Firecracker, Docker: Who is Who in the Container Space?
 
Kubernetes basics and hands on exercise
Kubernetes basics and hands on exerciseKubernetes basics and hands on exercise
Kubernetes basics and hands on exercise
 
stackconf 2020 | SecDevOps containers by Jose Ortega
stackconf 2020 | SecDevOps containers by Jose Ortegastackconf 2020 | SecDevOps containers by Jose Ortega
stackconf 2020 | SecDevOps containers by Jose Ortega
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
 

Recently uploaded

Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
Mydbops
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
DianaGray10
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
christinelarrosa
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
Vadym Kazulkin
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
DianaGray10
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
c5vrf27qcz
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
christinelarrosa
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
Alex Pruden
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
Neo4j
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
Fwdays
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
MichaelKnudsen27
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
BibashShahi
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
Jason Yip
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
ScyllaDB
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
Neo4j
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
DanBrown980551
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
Edge AI and Vision Alliance
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Neo4j
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
LizaNolte
 

Recently uploaded (20)

Must Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during MigrationMust Know Postgres Extension for DBA and Developer during Migration
Must Know Postgres Extension for DBA and Developer during Migration
 
What is an RPA CoE? Session 2 – CoE Roles
What is an RPA CoE?  Session 2 – CoE RolesWhat is an RPA CoE?  Session 2 – CoE Roles
What is an RPA CoE? Session 2 – CoE Roles
 
Christine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptxChristine's Product Research Presentation.pptx
Christine's Product Research Presentation.pptx
 
High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024High performance Serverless Java on AWS- GoTo Amsterdam 2024
High performance Serverless Java on AWS- GoTo Amsterdam 2024
 
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectorsConnector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
Connector Corner: Seamlessly power UiPath Apps, GenAI with prebuilt connectors
 
Y-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PPY-Combinator seed pitch deck template PP
Y-Combinator seed pitch deck template PP
 
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptxPRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
PRODUCT LISTING OPTIMIZATION PRESENTATION.pptx
 
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
zkStudyClub - LatticeFold: A Lattice-based Folding Scheme and its Application...
 
Leveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and StandardsLeveraging the Graph for Clinical Trials and Standards
Leveraging the Graph for Clinical Trials and Standards
 
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba"NATO Hackathon Winner: AI-Powered Drug Search",  Taras Kloba
"NATO Hackathon Winner: AI-Powered Drug Search", Taras Kloba
 
Nordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptxNordic Marketo Engage User Group_June 13_ 2024.pptx
Nordic Marketo Engage User Group_June 13_ 2024.pptx
 
Principle of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptxPrinciple of conventional tomography-Bibash Shahi ppt..pptx
Principle of conventional tomography-Bibash Shahi ppt..pptx
 
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
[OReilly Superstream] Occupy the Space: A grassroots guide to engineering (an...
 
ScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking ReplicationScyllaDB Tablets: Rethinking Replication
ScyllaDB Tablets: Rethinking Replication
 
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge GraphGraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
GraphRAG for LifeSciences Hands-On with the Clinical Knowledge Graph
 
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
LF Energy Webinar: Carbon Data Specifications: Mechanisms to Improve Data Acc...
 
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
“Temporal Event Neural Networks: A More Efficient Alternative to the Transfor...
 
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and BioinformaticiansBiomedical Knowledge Graphs for Data Scientists and Bioinformaticians
Biomedical Knowledge Graphs for Data Scientists and Bioinformaticians
 
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance PanelsNorthern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
Northern Engraving | Modern Metal Trim, Nameplates and Appliance Panels
 
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham HillinQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
inQuba Webinar Mastering Customer Journey Management with Dr Graham Hill
 

Security in a containerized world - Jessie Frazelle

  • 1. #ContainerDayFR Security in a Containerized World
  • 2. #ContainerDayFRParis Container Day 2017 Jessie Frazelle Software Engineer Googler. I have contributed to many open source projects including Docker, Go, Kubernetes, Runc, & the Linux kernel. Focus on runtime security for containers. Security in a Containerized World 2
  • 3. #ContainerDayFRParis Container Day 2017 A brief history of containers and Paris... Security in a Containerized World 3
  • 4. #ContainerDayFRParis Container Day 2017 A brief history of containers and Paris... Paris is the true home of containers. Security in a Containerized World 4
  • 5. Paris Container Day 2017 #ContainerDayFR Security in a Containerized World 5
  • 6. Paris Container Day 2017 #ContainerDayFR Security in a Containerized World 6
  • 7. #ContainerDayFR Security in a Containerized World 7 Security Models
  • 8. #ContainerDayFRParis Container Day 2017 Security Model: Stages Security in a Containerized World 8 Single tenant, multi-identities Multi-user, but no hard enforcement. Still have to treat as one trust boundary Cooperative soft multi-tenancy Multi-user, fine grained authorization. Possibly not fully-hardened Often good enough for multi-tenancy inside single company (can fire bad actors) Hard multi-tenancy Multi-tenant security boundaries more strongly enforced Better resource isolation E.g. comfortable running code from multiple third-parties on the same cluster Kubernetes 1.6+ Long term goal
  • 9. #ContainerDayFRParis Container Day 2017 Project/Cluster as Boundary Security in a Containerized World 9 Authorization permissions granted at project/cluster level All nodes have same authenticated identity All pods have same authorization permissions All pods have full network access my-project/my-cluster node-1 node-2 node-3 team1-fe team1-fe team1-db team1-db team2-fe team2-fe team2-db team2-db
  • 10. #ContainerDayFRParis Container Day 2017 Namespace/Pod as a Boundary Security in a Containerized World 10 my-cluster node-1 node-2 node-3 Authorization permissions granted at namespace/resource level Nodes have individual identities w/ per-node permissions Pods have identity with fine-grained permissions Pods network access can be limited to what’s necessary team1-fe team1-fe team1-db team1-db team2-fe team2-fe team2-db team2-db team1-namespace team2-namespace
  • 11. #ContainerDayFRParis Container Day 2017 Namespace/Pod as a Boundary Security in a Containerized World 11 Authorization permissions granted at namespace/resource level Nodes have individual identities w/ per-node permissions Pods have identity with fine-grained permissions Pods network access can be limited to what’s necessary Per-namespace/per-resource permissions Move from: Everything has root-in-cluster. To: Users, system have least privilege. Examples: ● Alice can list Eng services, but not HR ● Bob can create Pods in Test namespace, not Prod ● Scheduler can read Pods but not Secrets
  • 12. #ContainerDayFRParis Container Day 2017 Namespace/Pod as a Boundary Security in a Containerized World 12 Authorization permissions granted at namespace/resource level Nodes have individual identities w/ per-node permissions Pods have identity with fine-grained permissions Pods network access can be limited to what’s necessary Per-node identity & permissions Move from: All nodes have vast permissions. To: Each node has least privilege. Examples: ● Node can only get info about Pods scheduled on it ● Compromised node doesn’t allow additional escalation through Kubernetes API
  • 13. #ContainerDayFRParis Container Day 2017 Namespace/Pod as a Boundary Security in a Containerized World 13 Authorization permissions granted at namespace/resource level Nodes have individual identities w/ per-node permissions Pods have identity with fine-grained permissions Pods network access can be limited to what’s necessary Pod identity & permissions Move from: Running workloads have full system access by default. To: Workloads must be granted permissions. Example: ● Running workload can list other objects in its namespace, but not outside of it
  • 14. #ContainerDayFRParis Container Day 2017 Namespace/Pod as a Boundary Security in a Containerized World 14 Authorization permissions granted at namespace/resource level Nodes have individual identities w/ per-node permissions Pods have identity with fine-grained permissions Pods network access can be limited to what’s necessary Network policy Move From: All workloads receive traffic from anywhere on the network. To: Network connectivity is controllable by policy. Example: ● Frontend layer can only communicate with application layer, not other frontends.
  • 15. #ContainerDayFR Security in a Containerized World 15 Runtime Security
  • 16. #ContainerDayFRParis Container Day 2017 What is a sandbox? Security in a Containerized World 16
  • 17. #ContainerDayFRParis Container Day 2017 What is a sandbox? Provides a net reduction in attack surface. Security in a Containerized World 17
  • 18. #ContainerDayFRParis Container Day 2017 What is a sandbox? Compare code execution from inside and outside the sandbox... Security in a Containerized World 18
  • 19. #ContainerDayFRParis Container Day 2017 What is a sandbox? Compare code execution from inside and outside the sandbox… Are more or less things possible now? Security in a Containerized World 19
  • 20. #ContainerDayFRParis Container Day 2017 Chrome Sandbox Security in a Containerized World 20
  • 21. #ContainerDayFRParis Container Day 2017 Chrome Sandbox Each tab gets its own pid namespace. Security in a Containerized World 21
  • 22. #ContainerDayFRParis Container Day 2017 Chrome Sandbox Each tab gets its own pid namespace. What’s a pid namespace? Security in a Containerized World 22
  • 23. #ContainerDayFRParis Container Day 2017 Chrome Sandbox Each tab gets its own pid namespace. What’s a pid namespace? Used to isolate the process ID number space. Security in a Containerized World 23
  • 24. #ContainerDayFRParis Container Day 2017 Chrome Sandbox Uses unprivileged user namespaces and network namespaces. Security in a Containerized World 24
  • 25. #ContainerDayFRParis Container Day 2017 Chrome Sandbox Uses Seccomp-BPF Security in a Containerized World 25
  • 26. #ContainerDayFRParis Container Day 2017 What is Seccomp? SECure COMPuting with filters. Security in a Containerized World 26
  • 27. #ContainerDayFRParis Container Day 2017 What is Seccomp? SECure COMPuting with filters. Allows developers to write BPF programs that determine whether a given system call will be allowed or not. Security in a Containerized World 27
  • 28. #ContainerDayFRParis Container Day 2017 What is Seccomp? What is BPF? Security in a Containerized World 28
  • 29. #ContainerDayFRParis Container Day 2017 What is Seccomp? What is BPF? Berkeley Packet Filter In-kernel bytecode machine that is used for tracing, virtual networks, seccomp… and more. Security in a Containerized World 29
  • 30. #ContainerDayFRParis Container Day 2017 Let’s apply these same principles Security in a Containerized World 30 to containers...
  • 31. #ContainerDayFRParis Container Day 2017 What is a container? Control what a process can see. ● PID ● Mount ● Network ● UTS ● IPC ● User ● Cgroup Security in a Containerized World 31 Namespaces
  • 32. #ContainerDayFRParis Container Day 2017 What is a container? Control what a process can use. ● Memory ● CPU ● Blkio ● Cpuacct ● Cpuset ● Devices ● Net_prio ● Freezer Security in a Containerized World 32 Cgroups
  • 33. #ContainerDayFRParis Container Day 2017 Linux Security Module can control and audit various process actions such as file (read, write, execute, etc) and system functions (mount, network tcp, etc) AppArmor Security in a Containerized World 33 AppArmor
  • 34. #ContainerDayFRParis Container Day 2017 AppArmor Sane defaults - Preventing writing to /proc/{num}, /proc/sys, /sys - Preventing mount Security in a Containerized World 34 in Docker
  • 35. #ContainerDayFRParis Container Day 2017 AppArmor Getting towards sane defaults - Preventing writing to /proc/{num}, /proc/sys, /sys - Preventing mount Security in a Containerized World 35 in Kubernetes apiVersion: v1 kind: Pod metadata: name: hello-nginx annotations: container.apparmor.security.beta.kuberne tes.io/nginx: runtime/default spec: containers: - name: nginx image: nginx command: ["nginx", "-g", "daemon off;"]
  • 36. #ContainerDayFRParis Container Day 2017 Syscall filters allow an application to define what syscalls it allows or denies. Seccomp Security in a Containerized World 36 AppArmor Seccomp
  • 37. #ContainerDayFRParis Container Day 2017 Seccomp Docker's default seccomp profile is a whitelist which specifies the calls that are allowed. Security in a Containerized World 37 in Docker
  • 38. #ContainerDayFRParis Container Day 2017 Seccomp Docker's default seccomp profile is a whitelist which specifies the calls that are allowed. It blocks a bunch of bad stuff… not limited to the following... Security in a Containerized World 38 in Docker
  • 39. #ContainerDayFRParis Container Day 2017 Seccomp add_key, keyctl, request_key Prevent containers from using the kernel keyring, which is not namespaced. Security in a Containerized World 39 in Docker
  • 40. #ContainerDayFRParis Container Day 2017 Seccomp clone, unshare Deny cloning/unsharing new namespaces. Also gated by CAP_SYS_ADMIN for CLONE_* flags, except CLONE_USERNS, which has a history of vulns Security in a Containerized World 40 in Docker
  • 41. #ContainerDayFRParis Container Day 2017 Seccomp Pushing towards sane defaults - Whitelist - Prevent cloning new unprivileged user namespaces (has a high rate of past CVEs) - Prevent ~150 other syscalls which are uncommon or dangerous Security in a Containerized World 41 in Kubernetes apiVersion: v1 kind: Pod metadata: name: hello-nginx annotations: container.seccomp.security.alpha.kuberne tes.io/nginx: docker/default spec: containers: - name: nginx image: nginx command: ["nginx", "-g", "daemon off;"]
  • 42. #ContainerDayFRParis Container Day 2017 Provides a mechanism for supporting access control security policies, including mandatory access controls. Controls over file systems, directories, files, and open file descriptors. Controls individual labels and controls for kernel objects and services. SELinux Security in a Containerized World 42 AppArmor Seccomp SELinux
  • 43. #ContainerDayFRParis Container Day 2017 SELinux Labeling systems like SELinux require that proper labels are placed on volume content mounted into a container. Without a label, the security system might prevent the processes running inside the container from using the content. Allows relabeling file objects on Docker volumes. Security in a Containerized World 43 in Docker
  • 44. #ContainerDayFRParis Container Day 2017 SELinux SELinux Policy for docker daemon. Security in a Containerized World 44 in Docker
  • 45. #ContainerDayFRParis Container Day 2017 SELinux Apply SELinux labels to volumes. Security in a Containerized World 45 in Kubernetes apiVersion: v1 kind: Pod metadata: name: hello-nginx spec: containers: - name: nginx image: nginx command: ["nginx", "-g", "daemon off;"] securityContext: capabilities: drop: - NET_RAW volumeMounts: ... securityContext: seLinuxOptions: level: "s0:c123,c456" readOnlyRootFilesystem: true runAsNonRoot: true volumes: ...
  • 46. #ContainerDayFRParis Container Day 2017 A Linux flag (no_new_privs) that’s carried over `fork`, `clone`, and `execve` to prevent new privileges from being added to a process. No New Privileges Security in a Containerized World 46 AppArmor Seccomp SELinux No new privs
  • 47. #ContainerDayFRParis Container Day 2017 No New Privileges Not applied by default unless set by the Docker daemon. Security in a Containerized World 47 in Docker
  • 48. #ContainerDayFRParis Container Day 2017 No New Privileges On by default for all containers without breaking setuid binaries. Security in a Containerized World 48 in Kubernetes
  • 49. #ContainerDayFRParis Container Day 2017 RunAsNonRoot: Set containers to only run as a non-root user Security Context Security in a Containerized World 49 in Kubernetes
  • 50. #ContainerDayFRParis Container Day 2017 RunAsNonRoot: Set containers to only run as a non-root user ReadOnlyRootFilesystem: Set container filesystem as read-only Security Context Security in a Containerized World 50 in Kubernetes
  • 51. #ContainerDayFRParis Container Day 2017 RunAsNonRoot: Set containers to only run as a non-root user ReadOnlyRootFilesystem: Set container filesystem as read-only Capabilities: Set containers to run with specific Capabilities Security Context Security in a Containerized World 51 in Kubernetes
  • 52. #ContainerDayFRParis Container Day 2017 RunAsNonRoot Set containers to only run as a non-root user Security in a Containerized World 52 Security Context in Kubernetes apiVersion: v1 kind: Pod metadata: name: hello-nginx spec: containers: - name: nginx image: nginx command: ["nginx", "-g", "daemon off;"] securityContext: capabilities: drop: - NET_RAW volumeMounts: ... securityContext: seLinuxOptions: level: "s0:c123,c456" readOnlyRootFilesystem: true runAsNonRoot: true volumes: ...
  • 53. #ContainerDayFRParis Container Day 2017 ReadOnlyRootFilesystem Set container filesystem as read-only Security in a Containerized World 53 Security Context in Kubernetes apiVersion: v1 kind: Pod metadata: name: hello-nginx spec: containers: - name: nginx image: nginx command: ["nginx", "-g", "daemon off;"] securityContext: capabilities: drop: - NET_RAW volumeMounts: ... securityContext: seLinuxOptions: level: "s0:c123,c456" readOnlyRootFilesystem: true runAsNonRoot: true volumes: ...
  • 54. #ContainerDayFRParis Container Day 2017 Capabilities Set containers to run with specific Capabilities Security in a Containerized World 54 Security Context in Kubernetes apiVersion: v1 kind: Pod metadata: name: hello-nginx spec: containers: - name: nginx image: nginx command: ["nginx", "-g", "daemon off;"] securityContext: capabilities: drop: - NET_RAW volumeMounts: ... securityContext: seLinuxOptions: level: "s0:c123,c456" readOnlyRootFilesystem: true runAsNonRoot: true volumes: ...
  • 55. #ContainerDayFRParis Container Day 2017 A Pod Security Policy is a cluster-level resource that controls the actions that a pod can perform and what it has the ability to access. The PodSecurityPolicy objects define a set of conditions that a pod must run with in order to be accepted into the system. Pod Security Policy Security in a Containerized World 55 in Kubernetes
  • 56. #ContainerDayFRParis Container Day 2017 Privileged Allows or denies running of privileged containers. Default deny. Security in a Containerized World 56 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: min: 8000 max: 8080 volumes: - '*'
  • 57. #ContainerDayFRParis Container Day 2017 defaultAddCapabilities Default set of capabilities that will be added to a container. Security in a Containerized World 57 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny defaultAddCapabilities: - ‘CAP_AUDIT_WRITE’ - ‘CAP_KILL’ - ‘CAP_NET_BIND_SERVICE’ fsGroup: rule: RunAsAny hostPorts: min: 8000 max: 8080 volumes: - '*'
  • 58. #ContainerDayFRParis Container Day 2017 requiredDropCapabilities Capabilities that will be dropped from a container. Security in a Containerized World 58 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny requiredDropCapabilities: - ‘CAP_NEW_RAW’ runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: min: 8000 max: 8080 volumes: - '*'
  • 59. #ContainerDayFRParis Container Day 2017 allowedCapabilities Capabilities a container can request to be added. Security in a Containerized World 59 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny allowedCapabilities: - ‘CAP_NEW_ADMIN’ runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: min: 8000 max: 8080 volumes: - '*'
  • 60. #ContainerDayFRParis Container Day 2017 volumes Controls the usage of volume types, defines which ones are allowed. Security in a Containerized World 60 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: min: 8000 max: 8080 volumes: - 'hostPath' - ‘gcePersistentDisk’
  • 61. #ContainerDayFRParis Container Day 2017 hostPorts Controls the use of host ports, defines an allowed range. Default empty. List of HostPortRange, defined by min (inclusive) and max (inclusive), which define the allowed host ports. Security in a Containerized World 61 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: min: 8000 max: 8080 volumes: - '*'
  • 62. #ContainerDayFRParis Container Day 2017 hostPID Allows or denies the use of host’s PID namespace. Default deny. Security in a Containerized World 62 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false hostPID: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
  • 63. #ContainerDayFRParis Container Day 2017 hostIPC Allows or denies the use of host’s IPC namespace. Default deny. Security in a Containerized World 63 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false hostPID: false hostIPC: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
  • 64. #ContainerDayFRParis Container Day 2017 seLinux MustRunAs: Requires seLinuxOptions to be configured if not using pre-allocated values. Uses seLinuxOptions as the default. Validates against seLinuxOptions. RunAsAny: No default provided. Allows any seLinuxOptions to be specified. Security in a Containerized World 64 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
  • 65. #ContainerDayFRParis Container Day 2017 runAsUser MustRunAs: Requires a range to be configured. Uses the first value of the range as the default. Validates against the range. MustRunAsNonRoot: Requires that the pod be submitted with a non-zero runAsUseror have the USER directive defined in the image. RunAsAny: No default provided. Allows any runAsUserto be specified. Security in a Containerized World 65 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
  • 66. #ContainerDayFRParis Container Day 2017 supplementalGroups MustRunAs: Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against all ranges. RunAsAny: No default provided. Allows any supplementalGroups to be specified. Security in a Containerized World 66 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
  • 67. #ContainerDayFRParis Container Day 2017 fsGroup MustRunAs: Requires at least one range to be specified. Uses the minimum value of the first range as the default. Validates against the first ID in the first range. RunAsAny: No default provided. Allows any fsGroup ID to be specified. Security in a Containerized World 67 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
  • 68. #ContainerDayFRParis Container Day 2017 readOnlyRootFilesystem Requiring the use of a read only root file system. Security in a Containerized World 68 Pod Security Policy in Kubernetes apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restrictive spec: privileged: false readOnlyRootFilesystem: true seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny runAsUser: rule: RunAsAny fsGroup: rule: RunAsAny hostPorts: - min: 8000 max: 8080 volumes: - '*'
  • 69. #ContainerDayFR Security in a Containerized World 69 Network Policies
  • 70. #ContainerDayFRParis Container Day 2017 Security in a Containerized World 70 Network Policies my-cluster node-1 node-2 node-3 pod pod pod pod pod pod pod pod team1-namespace team2-namespace Behavior without a network policy. Everything can talk to everything.
  • 71. #ContainerDayFRParis Container Day 2017 Security in a Containerized World 71 Network Policies my-cluster node-1 node-2 node-3 pod pod pod pod pod pod pod pod team1-namespace team2-namespace Network Isolation with DefaultDeny Explicitly define communication between pods as a whitelist
  • 72. #ContainerDayFRParis Container Day 2017 Security in a Containerized World 72 Network Policies Network Isolation with DefaultDeny Explicitly define communication between pods as a whitelist my-cluster node-1 node-2 node-3 pod pod pod pod pod pod pod pod team1-namespace team2-namespace
  • 73. #ContainerDayFRParis Container Day 2017 Network Policy Setting DefaultDeny for a namespace. Security in a Containerized World 73 in Kubernetes kind: Namespace apiVersion: v1 metadata: name: my-namespace metadata: annotations: net.beta.kubernetes.io/network-policy: | { "ingress": { "isolation": "DefaultDeny" } }
  • 74. #ContainerDayFRParis Container Day 2017 Network Policy Explicitly define communication between pods. Security in a Containerized World 74 in Kubernetes apiVersion: extensions/v1beta1 kind: NetworkPolicy metadata: name: my-network-policy namespace: my-namespace spec: podSelector: matchLabels: role: db ingress: - from: - namespaceSelector: matchLabels: project: myproject - podSelector: matchLabels: role: frontend ports: - protocol: tcp port: 6379
  • 75. #ContainerDayFRParis Container Day 2017 Thank you! @jessfraz Security in a Containerized World 75