SlideShare a Scribd company logo

Docker Containers Security

This is a short, high level, introduction to containers security, covering the different aspects of security in the container world.

1 of 23
Download to read offline
Security in the Container World
Stéphane Woillez
Technical Lead South Europe
Docker Inc.
From basic security to end to end secured operations….
• Different aspects of containers security
• Container ARE secure
• There are containers and containers
• Secure the infrastructure
• Secure the content
• Secure the access
Containers are Polymorphic entities that require a combined security approach
2
The security of Docker environments covers 3 aspects
+ +
Secure
Platform
Secure
Content
Secure
Access
Strong isolation and
secure by default
Authentication,
authorization and
access control
Content integrity and
trust
• Does not hinder speed or creativity
• Accelerate secure development
For Developers For IT ops
• Flexible and granular controls
• Proactive risk management
A secure platform, running secured content, managed with security constraints
Containers Security Basics
Containers are secure
Understand containers to know how to secure them
State of the union : Containers are secure !
• Isolation of containers with NameSpaces
• Resource Usage Limits with CGroups
• Admin rights control with LibCap
• Kernel protection with AppArmor,
SELinux or Seccomp
• Prevent Compromising with immutable
image layers
• Limit attack surface with Images built best
practices
Readonly
Readonly
Readonly
Install only the required libraries in images
Even the more secured environment, if poorly managed, can be compromised
5
Containers are polymorphic entities
(micro)Service
Container
Virtual Machine
Container
The container hosts a few
number of processes
It executes a single task,
in general a simple one
It is one element of a
larger application
The container runs a large
number of processes
It executes a complex
activity
It is a whole application
Ad

Recommended

Docker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningDocker Enterprise Deployment Planning
Docker Enterprise Deployment PlanningStephane Woillez
 
VMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungVMware@Night: Container & Virtualisierung
VMware@Night: Container & VirtualisierungDigicomp Academy AG
 
Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Containers vs. VMs: It's All About the Apps!
Containers vs. VMs: It's All About the Apps!Steve Wilson
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security  for CloudCamp Nov 2017Ten layers of container security  for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
Containers for Lawyers Richard Fontana
Containers for Lawyers  Richard FontanaContainers for Lawyers  Richard Fontana
Containers for Lawyers Richard FontanaBlack Duck by Synopsys
 

More Related Content

What's hot

Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...All Things Open
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep DiveWill Kinard
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containersJohn Kinsella
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Edureka!
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefitsAmit Manwade
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 RecapLee Calcote
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT CampusAjeet Singh Raina
 
Docker taylor swift and protection v06
Docker taylor swift and protection v06Docker taylor swift and protection v06
Docker taylor swift and protection v06marketingunitrends
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineAarno Aukia
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Keith Lynch
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to AdvanceParas Jain
 
Docker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containersDocker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containersDr Ganesh Iyer
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifeidotCloud
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Dockerdantheelder
 

What's hot (20)

Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...
 
Docker Containers Deep Dive
Docker Containers Deep DiveDocker Containers Deep Dive
Docker Containers Deep Dive
 
An In-depth look at application containers
An In-depth look at application containersAn In-depth look at application containers
An In-depth look at application containers
 
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
Docker vs VM | | Containerization or Virtualization - The Differences | DevOp...
 
Docker introduction & benefits
Docker introduction & benefitsDocker introduction & benefits
Docker introduction & benefits
 
Dockercon EU 2015 Recap
Dockercon EU 2015 RecapDockercon EU 2015 Recap
Dockercon EU 2015 Recap
 
Securing the Cloud
Securing the CloudSecuring the Cloud
Securing the Cloud
 
Introduction to Docker - VIT Campus
Introduction to Docker - VIT CampusIntroduction to Docker - VIT Campus
Introduction to Docker - VIT Campus
 
Docker & Daily DevOps
Docker & Daily DevOpsDocker & Daily DevOps
Docker & Daily DevOps
 
Docker taylor swift and protection v06
Docker taylor swift and protection v06Docker taylor swift and protection v06
Docker taylor swift and protection v06
 
Docker benefits v0.1
Docker benefits v0.1Docker benefits v0.1
Docker benefits v0.1
 
DevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipelineDevSecOps: Bringing security to the DevOps pipeline
DevSecOps: Bringing security to the DevOps pipeline
 
Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016Containers - Transforming the data centre as we know it 2016
Containers - Transforming the data centre as we know it 2016
 
Docker 101
Docker 101Docker 101
Docker 101
 
Docker Basic to Advance
Docker Basic to AdvanceDocker Basic to Advance
Docker Basic to Advance
 
Docker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containersDocker - A high level introduction to dockers and containers
Docker - A high level introduction to dockers and containers
 
Docker in pratice -chenyifei
Docker in pratice -chenyifeiDocker in pratice -chenyifei
Docker in pratice -chenyifei
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Where and When to Docker
Where and When to DockerWhere and When to Docker
Where and When to Docker
 

Similar to Docker Containers Security

Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...The Incredible Automation Day
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container securityVolodymyr Shynkar
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendEric Smalling
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?DevOps.com
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDocker, Inc.
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?Eric Smalling
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityEric Smalling
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?All Things Open
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfEric Smalling
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceBlack Duck by Synopsys
 
Docker container security
Docker container securityDocker container security
Docker container securityThoughtworks
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfEric Smalling
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container SecurityKsenia Peguero
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)Amazon Web Services
 

Similar to Docker Containers Security (20)

Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...Strategy, planning and governance for enterprise deployments of containers - ...
Strategy, planning and governance for enterprise deployments of containers - ...
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
DevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friendDevSecCon Lightning 2021- Container defaults are a hackers best friend
DevSecCon Lightning 2021- Container defaults are a hackers best friend
 
Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?Are Your Containers as Secure as You Think?
Are Your Containers as Secure as You Think?
 
DCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at NetflixDCSF19 Container Security: Theory & Practice at Netflix
DCSF19 Container Security: Theory & Practice at Netflix
 
Why should developers care about container security?
Why should developers care about container security?Why should developers care about container security?
Why should developers care about container security?
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly DavidoffDevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
DevSecCon Tel Aviv 2018 - End2End containers SSDLC by Vitaly Davidoff
 
Containers and Security for DevOps
Containers and Security for DevOpsContainers and Security for DevOps
Containers and Security for DevOps
 
Container Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container securityContainer Stranger Danger - Why should devs care about container security
Container Stranger Danger - Why should devs care about container security
 
Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?Why Should Developers Care About Container Security?
Why Should Developers Care About Container Security?
 
ATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdfATO 2022 - Why should devs care about container security.pdf
ATO 2022 - Why should devs care about container security.pdf
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Docker container security
Docker container securityDocker container security
Docker container security
 
Python Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdfPython Web Conference 2022 - Why should devs care about container security.pdf
Python Web Conference 2022 - Why should devs care about container security.pdf
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Finding Your Way in Container Security
Finding Your Way in Container SecurityFinding Your Way in Container Security
Finding Your Way in Container Security
 
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)AWS re:Invent 2016: Securing Container-Based Applications (CON402)
AWS re:Invent 2016: Securing Container-Based Applications (CON402)
 

Recently uploaded

Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build PolandGDSC PJATK
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!KivenRaySarsaba
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Umar Saif
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxMaarten Balliauw
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsInflectra
 
Apex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxApex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxmohayyudin7826
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringMassimo Talia
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17Ana-Maria Mihalceanu
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfIsidro Navarro
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...UiPathCommunity
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura RochniakFwdays
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys VasylievFwdays
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Product School
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor FesenkoFwdays
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr TsapFwdays
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1Inbay UK
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfSafe Software
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?MENGSAYLOEM1
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stackSummit
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Product School
 

Recently uploaded (20)

Bit N Build Poland
Bit N Build PolandBit N Build Poland
Bit N Build Poland
 
My sample product research idea for you!
My sample product research idea for you!My sample product research idea for you!
My sample product research idea for you!
 
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
Progress Report: Ministry of IT under Dr. Umar Saif Aug 23-Feb'24
 
Bringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptxBringing nullability into existing code - dammit is not the answer.pptx
Bringing nullability into existing code - dammit is not the answer.pptx
 
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+PluginsFrom Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
From Challenger to Champion: How SpiraPlan Outperforms JIRA+Plugins
 
Apex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptxApex Replay Debugger and Salesforce Platform Events.pptx
Apex Replay Debugger and Salesforce Platform Events.pptx
 
Dynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineeringDynamical systems simulation in Python for science and engineering
Dynamical systems simulation in Python for science and engineering
 
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17Enhancing Productivity and Insight  A Tour of JDK Tools Progress Beyond Java 17
Enhancing Productivity and Insight A Tour of JDK Tools Progress Beyond Java 17
 
Artificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdfArtificial-Intelligence-in-Marketing-Data.pdf
Artificial-Intelligence-in-Marketing-Data.pdf
 
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
Dev Dives: Leverage APIs and Gen AI to power automations for RPA and software...
 
"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak"Testing of Helm Charts or There and Back Again", Yura Rochniak
"Testing of Helm Charts or There and Back Again", Yura Rochniak
 
"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev"AIRe - AI Reliability Engineering", Denys Vasyliev
"AIRe - AI Reliability Engineering", Denys Vasyliev
 
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
Synergy in Leadership and Product Excellence: A Blueprint for Growth by CPO, ...
 
"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko"Platform Engineering with Development Containers", Igor Fesenko
"Platform Engineering with Development Containers", Igor Fesenko
 
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap"Running Open-Source LLM models on Kubernetes",  Volodymyr Tsap
"Running Open-Source LLM models on Kubernetes", Volodymyr Tsap
 
IT Nation Evolve event 2024 - Quarter 1
IT Nation Evolve event 2024  - Quarter 1IT Nation Evolve event 2024  - Quarter 1
IT Nation Evolve event 2024 - Quarter 1
 
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdfIntroducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
Introducing the New FME Community Webinar - Feb 21, 2024 (2).pdf
 
Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?Are Human-generated Demonstrations Necessary for In-context Learning?
Are Human-generated Demonstrations Necessary for In-context Learning?
 
How we think about an advisor tech stack
How we think about an advisor tech stackHow we think about an advisor tech stack
How we think about an advisor tech stack
 
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
Harnessing the Power of GenAI for Exceptional Product Outcomes by Booking.com...
 

Docker Containers Security

  • 1. Security in the Container World Stéphane Woillez Technical Lead South Europe Docker Inc.
  • 2. From basic security to end to end secured operations…. • Different aspects of containers security • Container ARE secure • There are containers and containers • Secure the infrastructure • Secure the content • Secure the access Containers are Polymorphic entities that require a combined security approach 2
  • 3. The security of Docker environments covers 3 aspects + + Secure Platform Secure Content Secure Access Strong isolation and secure by default Authentication, authorization and access control Content integrity and trust • Does not hinder speed or creativity • Accelerate secure development For Developers For IT ops • Flexible and granular controls • Proactive risk management A secure platform, running secured content, managed with security constraints
  • 4. Containers Security Basics Containers are secure Understand containers to know how to secure them
  • 5. State of the union : Containers are secure ! • Isolation of containers with NameSpaces • Resource Usage Limits with CGroups • Admin rights control with LibCap • Kernel protection with AppArmor, SELinux or Seccomp • Prevent Compromising with immutable image layers • Limit attack surface with Images built best practices Readonly Readonly Readonly Install only the required libraries in images Even the more secured environment, if poorly managed, can be compromised 5
  • 6. Containers are polymorphic entities (micro)Service Container Virtual Machine Container The container hosts a few number of processes It executes a single task, in general a simple one It is one element of a larger application The container runs a large number of processes It executes a complex activity It is a whole application
  • 7. Different behaviors need different management approaches Type of Container Service Virtual Machine Content Few processes A whole application Size Few mega bytes Hundreds of mega bytes, even giga bytes Lifespan Short, sometimes a few milliseconds Days / Weeks / Months Patchs Never On a regular basis (by stop/start) Storage None Regular (via volumes) Monitoring Service availability (not the container) Regular Access Never Regular for control, debug… Backup Never Application Data Security BEFORE execution Regular via Antimalware & Intrusion Detection
  • 8. Secure the infrastructure Security of the engine What about intrusion detection ?
  • 9. Security of the Engine • Install & configure kernel protection using AppArmor, SELinux or Seccomp • Prevent root access to clusters, to ensure no one can disable protection • Limit the installed packages on host to reduce risk • Use a tool like DockerBench for Security to assess and fix the configuration of hosts • On clusters, configure certificates rotation for TLS sessions Configure, control, and test… 9
  • 10. Detection of intrusions and abnormal activities • Very early stage. Attacks adapted to containers still to be developed. Risk low for Micro Services Apps • The security approach depends on the type of containers managed • For « Virtual Machines » containers o Well, everything works like in VMs o Host based Intrusion detection o Anti malware • For « Services » containers o Containers may live for only milliseconds o Vulnerability assessment BEFORE execution What the hell are you doing inside my Docker cluster ? 10
  • 11. What Docker brings to secure the infrastructure • Cryptographic node identity • Out of the box TLS • Integrated Seamless PKI • Automatic certificates rotation • External CA integration • Integration with 3rd party vendors Manager Node Certificate Authority TLS Manager Node Certificate Authority TLS Manager Node Certificate Authority TLS Worker TLS Worker TLS Worker TLS
  • 12. Secure the content Docker image management Content trust Secrets Management
  • 13. Image Management • Hub Images or my private images ? o Allow developers to use hub images locally o Deny uncontrolled images on clusters • Build your own base images o Tar the content of a chroot dir and use “scratch” o Look for examples in the Docker Hub • Reduce the size of images layers using multi stage builds • Tagging o LATEST is your enemy in production o Favor major versions, update using minors o Some use extra tags like DEV,INTEGRATION... FROM scratch ADD <chroot_dir or tar file> / CMD ["/bin/bash"] Docker HUB Trusted Registry Image quality is key to many aspects of Docker : security, efficiency, shareability… 13
  • 14. Content trust : Run only trusted images • Clusters should only run trusted images • Images should pass security validation before been granted for production • Digital signing of images ensure trust. Engines do not create containers from unsigned images • Sophisticated signing policies can be used for different purposes : o Implement a validation chain o Ensure all security tests have been applied o Involve the responsibility of image providers Don’t open the Pandora’s box, unless you know exactly what it contains 14
  • 15. • Management – Separation between the application and the secrets it handles – Exposed to a container at execution time • Authorization – Not all admins should access secrets • Delivery – Encryption at every step of the process – Protection from unauthorized access • Auditing – Each user request for secret access must be logged for auditing WorkerWorker Manager Internal DistributedStore Raft Consensus Group ManagerManager Worker External App Web UI Secrets Management for Applications Separate applications secrets from the actual code of the application
  • 16. What Docker brings to secure the content • Private Registries • Content trust • Image Signing • Image Scanning • Read Only repositories • Secrets Management tag = “latest” personal/hello-world dev/hello-world No ‘critical’ or ‘major’ vulnerabilities qa/hello-world
  • 17. Secure the operations Authentication & access control Multi tenancy
  • 18. Authentication and Access Control • Basic Security – Access the Docker cluster without ROOT privileges – Secure every administration channel • Authentication – Manage users by groups and organizations – Delegate authentication to external directory • Access Control – Map Docker Admin roles to existing roles – Admins only see what they are entitled to • Auditing – Each Admin action must be logged for auditing Node Worker Node Worker Node Worker Node Worker ProdDev Dev Team A Dev Team B SecOpsOps Team PHI
  • 19. Multi tenancy • Do not mix up platform multi tenancy and application multi tenancy • Two main usage of Multi Tenancy : o Isolate users/apps from others o Protect environments from unauthorized users ▪ Production vs Other environments • Several combined technics allows multi tenancy : o Authentication (not only for users) o Role based access control o Isolation of compute resources (pros & cons) o Resource usage limits (ensure they are set) Ensure & control good relationship between neighbors 19
  • 20. What Docker brings to secure the operations • Authentication • Integration with AD/LDAP • Access Control • Role Segregation • Advanced Customization • Multi Tenancy
  • 22. Conclusion • Containers are secure • 3+ years of experience in production • Like any other environment, security best practices are required • New technologies means new approaches to security (VM vs Services) 22