Security is a basic requirement of modern applications, and developers are increasingly using containers in their development work. In this presentation, we explore the basic components of secure design (preparation, detection, and containment), how containers facilitate that work today (verification), and how container orchestration ought to support models of the future, especially ones that are hard to roll manually (PKI).

1. Orchestration and Monitoring
Containers as a Foundation for Fast Vulnerability Responses,
Rapid Compromise Detection, and Containment

2. About Me
● Drupal
○ Infrastructure (drupal.org)
○ Security
○ Performance/scalability,
especially databases
● Systemd
○ Committer
○ Scalable cgroups management
○ Structured logging integration
○ Launch-on-demand adapter maintainer
● Pantheon
○ CTO and Co-founder
○ Billions of monthly page views
○ Millions of containers

3. ContainmentDetectionPreparation

4. ContainmentDetectionPreparation

5. Container Hosts
Container
Container
Preparation: Reducing Exposure
Traditional Model
Extra Work to Configure Firewalls
Containers Model
Explicit Services Made Public
Server or
Virtual Machine
Port 23 (Telnet)
Port 22 (SSH)
Port 80 (HTTP)
Port 443 (HTTPS)
Port 80 (HTTP)
Port 443 (HTTPS)
KubeIngress

6. Preparation: Patching with Rolling Updates
Container Hosts
Container
(Old)
KubeIngress
HTTPS
Container Hosts
Container
(New)
KubeIngress
HTTPS
Container
(Old)

7. Preparation: Identifying Vulnerable Applications
Container Hosts
Runtime +
Libraries
(Old)
Runtime +
Libraries
(New)
Container
Container
Container Hosts
Runtime +
Libraries
(Old)
Runtime +
Libraries
(New)
Container
Container

8. ContainmentDetectionPreparation

9. Detection: Suspicious Behavior
Container Host
Container
Daemon
PID 1
Container
Daemon
PID 1
PID or Container Supervisor
Container Host
Container
Daemon
PID 1
Container
Daemon
PID 1
PID or Container Supervisor
Container Host
Container
Daemon
SEGV’d
PID 1
Container
Daemon
PID 1
PID 1 or Container Supervisor
Centralized
Monitoring

10. Detection: Integrity Verification
Container
Trusted
Party
Signature

11. ContainmentDetectionPreparation

12. Containment Antipattern: Mandatory Access Control (MAC) as an Afterthought

13. Containment: Containers Setting the Boundaries First

14. Containment: Resource Management with Control Groups
Container Host
Container Container
ControlGroups

15. Containment: Isolation of Statefulness
Container Host
Container
Persistence
Container

16. Containment: Containers as a Public Key Infrastructure (PKI) Substrate
Container Host
Container
LoadBalancer
X.509
Server
Cert
HTTPS
Configuration
Management
and
Certificate Authority
Services
X.509
Server
Cert
X.509
Client
Cert
PersistenceX.509
Server
Cert
Container
X.509
Cert
X.509
Cert
X.509
Client
Cert

17. Questions?
@DavidStrauss
david@pantheon.io
linkedin.com/in/davidstrauss