WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
DevSecOps Orchestration of Text Analytics with Containers
1. DevSecOps Orchestration of Text
Analytics with Containers
Container Best Practices
Gil Irizarry
VP Engineering
2. Objectives
● What: Analysis of containers vs. VMs and how to run
containers securely
● Why: Containers offer efficiencies in installing and
running software, but those efficiencies come with risks
● How: Patches, settings and orchestration can help
mitigate the risks of containerization
6. VMs are more secure, right?
● Common Vulnerabilities and Exposures:
https://cve.mitre.org/
○ CVE-2018-8219: An elevation of privilege vulnerability
exists when Windows Hyper-V instruction emulation
fails to properly enforce privilege levels.
○ CVE-2018-18021: ... An attacker can arbitrarily redirect
the hypervisor flow of control (with full register control)
[in Linux]. An attacker can also cause a denial of service
(hypervisor panic) via an illegal exception return...
10. Mitigation of Container Vulnerabilities
● Patch the OS
● Know the source of your image
● Scan your image, for example
https://github.com/docker/docker-bench-security.git
● Do not run as root
11. Mitigation of Container Vulnerabilities
● Use namespaces in Docker to isolate containers somewhat
● Unset SUID flags on your container images
● Use Docker Container Trust
● Put limits on the system resources that individual
containers can consume, either through Docker settings or
Kubernetes
Containers are “smaller” than VMs. The picture of the cargo ship is not a bad analogy since all the containers take advantage of the same hull and engine.
The Docker logo echoes the design of the cargo ship.
VMs require an OS per container and a hypervisor to manage the VMs. VMs are separate and distinct from each other in that a process attacking its OS does not affect the other VMs or their OSs. Containers are more efficient, lightweight and quicker to start.
A partial list of hypervisor vulnerabilities. VMs are isolated from each others but the hypervisor represents an a vulnerability common to all VMs.
I wanted to find a feel-good aphorism about vulnerability, but there’s a truth here that can apply to containers -- or IT in general. We have to accept some risk to gain the advantage of functionality or features. We need to understand the vulnerabilities in order to mitigate their impact.
Examples of container vulnerabilities
This image is a bit too good. We can’t fully cover the risk with mitigation, but we can work to reduce it
SUID (Set owner User ID upon execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SUID is a special file permission which allows ownership during execution. You should either unset these tags or complete delete those files.
Kubernetes is Greek for governor. It is a system for running and coordinating containerized applications across a cluster of machines. It is a platform designed to completely manage the life cycle of containerized applications and services using methods that provide predictability, scalability, and high availability. The master server talks to kubelets to control the nodes. The outside world talks to kube proxes, which communicate with the pods. They are managed entirely as a unit and share their environment, volumes, and IP space. When a change is seen, the controller manager reads the new information and implements the procedure that fulfills the desired state. This can involve scaling an application up or down, adjusting endpoints, etc.
docker image ls
docker run hello-world
docker container ls (won’t show stopped containers)
docker container ls -all
docker image ls (list the images)
docker rmi 4ab4c602aa5e (try to remove image but can’t)
docker rm fcab5d2638f2 (remove container)
docker rmi 4ab4c602aa5e (now remove image)
ROSAPI_LICENSE_PATH=/Users/gil/Downloads/rosette-license.xml docker-compose -p rosette-stack up