SlideShare une entreprise Scribd logo

Ten layers of container security for CloudCamp Nov 2017

Gordon Haff
Gordon Haff

This presentation describes the multiple layers at which container security should be thought about and implemented.

Technologie
1  sur  25
Télécharger pour lire hors ligne
TEN LAYERS OF CONTAINER SECURITY Gordon Haff Technology Evangelist, Red Hat CloudCamp, South San Francisco: Nov. 2017 @ghaff
WHO AM I? ● Evangelist for emerging technologies and practices at Red Hat ● Co-author of From Pots and Vats to Programs and Apps (download for free at https://goo.gl/FSfgky) ● Former IT industry analyst ● Former big system guy ● Website: http://www.bitmasons.com
MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
It depends on who you ask... 4 WHAT ARE CONTAINERS? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS
Open source, Leadership, and Standards 5 THE COMMUNITY LANDSCAPE ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership The landscape is made up of committees, standards bodies, and open source projects:
6 6. Container Platform 7. Network Isolation 8. Storage 9. API Management 10. Federated Clusters 1. Container Host 2. Container Content 3. Container Registries 4. Building Containers 5. Deploying Containers SECURING CONTAINERS: LAYERS, LIFECYCLE, AND AUTOMATION
A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel. 7 CONTAINER HOST & MULTI-TENANCY THE OS MATTERS SELinux 1 Kernel namespaces Cgroups Seccomp THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS R/O Mounts
8 SELINUX - MAC - MCS1 ● SElinux is a LABELING system ● Every Process has a Label ● Every file, Directory, System object has a Label ● Policy rules control access between labeled processes and labeled objects ● The Kernel enforces the rules
9 Cgroups - Resource Isolation1 CPU Memory Network Storage / IO Container 1 slice Container 2 slice
10 SECCOMP - REMOVE PRIVILEGES FROM CONTAINERS 1 Most privileges are not needed to run most applications. For example, CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL ….
11 ● Are there known vulnerabilities in the application layer? ● Are the runtime and OS layers up to date? ● How frequently will the container be updated and how will I know when it’s updated? CONTENT: USE TRUSTED SOURCES2
HOST OS CONTAINER OS RUNTIME APP 12 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there processes to maintain currency? ● Are there access controls on the registry? How strong are they? PRIVATE REGISTRIES: SECURE ACCESS TO IMAGES 3
13 Security & continuous integration ● Layered packaging model supports separation of concerns ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds MANAGING CONTAINER BUILDS Operations Architects Application developers 4
14 Security & continuous deployment ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment MANAGING CONTAINER DEPLOYMENT5
15 Use a container orchestration platform with integrated security features including ● Role-based Access Controls with LDAP and OAuth2 integration ● Platform multitenant security ● Image signing (3.6) ● Secrets management ● Enable integration with the security ecosystem SECURING THE CONTAINER PLATFORM6
16 ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior SECURING THE CONTAINER PLATFORM: MONITORING, ALERTS, AND METRICS 6
17 Use network namespaces to ● Isolate applications from other applications within a cluster ● Isolate environments (Dev / Test / Prod) from other environments within a cluster NETWORK DEFENSE7
18 Secure storage by using ● SELinux access controls ● Secure mounts ● Supplemental group IDs for shared storage ATTACHED STORAGE8
19 STORAGE ISOLATION8 SCC access Layer supplementalGroups fsGroup runAsUserseLinuxOption Create app with storage Check for UID/GIDfor access to shared storage? Is the pod’s "file system group" ID correct for the block storage? Is the seLinuxContext user, role,type set and is this user allowed to mount it? What is the RunAsUser or MustRunAsRange?
20 Container platform & application APIs ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API MANAGEMENT9
21 Securing federated clusters across data centers or environments ● Authentication and authorization ● API endpoints ● Secrets ● Namespaces FEDERATED CLUSTERS (coming) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 10
22 FEDERATED CLUSTERS (coming) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 10 API Repl Ctrl Ubernetes state API Repl Ctrl Kubernetes Cluster state API Repl Ctrl Kubernetes Cluster state
23 For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as THE SECURITY ECOSYSTEM ● Identity and Access management / Privileged Access Management ● External Certificate Authorities ● External Vaults / Key Management solutions ● Container content scanners & vulnerability management tools ● Container runtime analysis tools ● Security Information and Event Monitoring (SIEM)
24 BRINGING IT ALL TOGETHER Container Business Automation Container Integration Container Data & Storage Contaner Web & Mobile OpenShift Application Lifecycle Management (CI/CD) Build Automation Deployment Automation Service Catalog (Language Runtimes, Middleware, Databases) Self-Service Infrastructure Automation & Cockpit Networking Storage Registry Logs & Metrics Security Container Orchestration & Cluster Management (kubernetes) Container Runtime & Packaging (Docker) Enterprise Container Host Red Hat Enterprise LinuxAtomic Host Physical Virtual Private cloud Public cloud
THANK YOU 25

Recommandé

Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 

Recommandé

Understanding container security
Understanding container securityUnderstanding container security
Understanding container securityJohn Kinsella
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Containers 101
Containers 101Containers 101
Containers 101Black Duck by Synopsys
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to DockerStephane Woillez
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker SecurityStephane Woillez
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
Container Security
Container SecurityContainer Security
Container SecurityAmazon Web Services
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dwCloud Security Alliance, UK chapter
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Docker, Inc.
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfJuan Vicente Herrera Ruiz de Alejo
 

Contenu connexe

Tendances

Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel securitysmart_bit
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and BeyondBlack Duck by Synopsys
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Container Security
Container SecurityContainer Security
Container SecurityJie Liau
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Aqua Security
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container SecuritySuraj Khetani
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDocker, Inc.
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container SecurityShea Stewart
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloudDobrica Pavlinušić
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trustehazlett
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerRonak Kogta
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Docker, Inc.
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...Docker, Inc.
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 

Tendances (20)

Containers 101
Containers 101Containers 101
Containers 101
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on Linux
 
5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond5 Ways to Secure Your Containers for Docker and Beyond
5 Ways to Secure Your Containers for Docker and Beyond
 
Container security
Container securityContainer security
Container security
 
Container Security
Container SecurityContainer Security
Container Security
 
SS Introduction to Docker
SS Introduction to DockerSS Introduction to Docker
SS Introduction to Docker
 
SW Docker Security
SW Docker SecuritySW Docker Security
SW Docker Security
 
Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes Container Security Deep Dive & Kubernetes
Container Security Deep Dive & Kubernetes
 
Docker Container Security
Docker Container SecurityDocker Container Security
Docker Container Security
 
Container Security
Container SecurityContainer Security
Container Security
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
 
Practical Approaches to Container Security
Practical Approaches to Container SecurityPractical Approaches to Container Security
Practical Approaches to Container Security
 
Csa container-security-in-aws-dw
Csa container-security-in-aws-dwCsa container-security-in-aws-dw
Csa container-security-in-aws-dw
 
Security of Linux containers in the cloud
Security of Linux containers in the cloudSecurity of Linux containers in the cloud
Security of Linux containers in the cloud
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 

Similaire à Ten layers of container security for CloudCamp Nov 2017

Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenryDevSecCon
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftDevOps.com
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments SecurelyDevOps.com
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source WayGordon Haff
 
8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the box8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the boxKangaroot
 
Red Hat Container Strategy
Red Hat Container StrategyRed Hat Container Strategy
Red Hat Container StrategyRed Hat Events
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...DevOps.com
 
Introduction to containers, k8s, Microservices & Cloud Native
Introduction to containers, k8s, Microservices & Cloud NativeIntroduction to containers, k8s, Microservices & Cloud Native
Introduction to containers, k8s, Microservices & Cloud NativeTerry Wang
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...sparkfabrik
 
Containers Anywhere with OpenShift by Red Hat - Session Sponsored by Red Hat
Containers Anywhere with OpenShift by Red Hat - Session Sponsored by Red HatContainers Anywhere with OpenShift by Red Hat - Session Sponsored by Red Hat
Containers Anywhere with OpenShift by Red Hat - Session Sponsored by Red HatAmazon Web Services
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherOSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherNETWAYS
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT AgilityAmazon Web Services
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of dockerJohn Zaccone
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwaresWorteks
 
Kubernetes from the Ground Up
Kubernetes from the Ground UpKubernetes from the Ground Up
Kubernetes from the Ground UpDustin Humphries
 

Similaire à Ten layers of container security for CloudCamp Nov 2017 (20)

Securing the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William HenrySecuring the container DevOps pipeline by William Henry
Securing the container DevOps pipeline by William Henry
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdfSantander DevopsandCloudDays 2021 - Hardening containers.pdf
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
 
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShiftKubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
Kubernetes 101 - an Introduction to Containers, Kubernetes, and OpenShift
 
Automate Your Container Deployments Securely
Automate Your Container Deployments SecurelyAutomate Your Container Deployments Securely
Automate Your Container Deployments Securely
 
DevSecOps: The Open Source Way
DevSecOps: The Open Source WayDevSecOps: The Open Source Way
DevSecOps: The Open Source Way
 
8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the box8 - OpenShift - A look at a container platform: what's in the box
8 - OpenShift - A look at a container platform: what's in the box
 
Red Hat Container Strategy
Red Hat Container StrategyRed Hat Container Strategy
Red Hat Container Strategy
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
Centralize and Simplify Secrets Management for Red Hat OpenShift Container En...
 
Autopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native StorageAutopilot : Securing Cloud Native Storage
Autopilot : Securing Cloud Native Storage
 
Introduction to containers, k8s, Microservices & Cloud Native
Introduction to containers, k8s, Microservices & Cloud NativeIntroduction to containers, k8s, Microservices & Cloud Native
Introduction to containers, k8s, Microservices & Cloud Native
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
Drupal Dev Days Vienna 2023 - What is the secure software supply chain and th...
 
Containers Anywhere with OpenShift by Red Hat - Session Sponsored by Red Hat
Containers Anywhere with OpenShift by Red Hat - Session Sponsored by Red HatContainers Anywhere with OpenShift by Red Hat - Session Sponsored by Red Hat
Containers Anywhere with OpenShift by Red Hat - Session Sponsored by Red Hat
 
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius SchumacherOSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
OSDC 2018 | Highly Available Cloud Foundry on Kubernetes by Cornelius Schumacher
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
 
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
(DVO311) Containers, Red Hat & AWS For Extreme IT Agility
 
Top 5 benefits of docker
Top 5 benefits of dockerTop 5 benefits of docker
Top 5 benefits of docker
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
 
Kubernetes from the Ground Up
Kubernetes from the Ground UpKubernetes from the Ground Up
Kubernetes from the Ground Up
 

Plus de Gordon Haff

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningGordon Haff
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101Gordon Haff
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing dataGordon Haff
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyGordon Haff
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical PerspectiveGordon Haff
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?Gordon Haff
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?Gordon Haff
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIGordon Haff
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them UpGordon Haff
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionGordon Haff
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018Gordon Haff
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018Gordon Haff
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successGordon Haff
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsGordon Haff
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)Gordon Haff
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOpsGordon Haff
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Gordon Haff
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail OftenGordon Haff
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetGordon Haff
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureGordon Haff
 

Plus de Gordon Haff (20)

Artificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine LearningArtificial Intelligence: Beyond Machine Learning
Artificial Intelligence: Beyond Machine Learning
 
Blockchains for Business 101
Blockchains for Business 101Blockchains for Business 101
Blockchains for Business 101
 
Preserving privacy while sharing data
Preserving privacy while sharing dataPreserving privacy while sharing data
Preserving privacy while sharing data
 
Lightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising PrivacyLightning Talk: Using Data without Compromising Privacy
Lightning Talk: Using Data without Compromising Privacy
 
Free and Open:An Historical Perspective
Free and Open:An Historical PerspectiveFree and Open:An Historical Perspective
Free and Open:An Historical Perspective
 
Why do we contribute (to open source)?
Why do we contribute (to open source)?Why do we contribute (to open source)?
Why do we contribute (to open source)?
 
How do you get started in AI?
How do you get started in AI?How do you get started in AI?
How do you get started in AI?
 
The good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AIThe good the bad and the ugly: Getting started doing AI
The good the bad and the ugly: Getting started doing AI
 
Containers: Don't Skeu Them Up
Containers: Don't Skeu Them UpContainers: Don't Skeu Them Up
Containers: Don't Skeu Them Up
 
Cloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into ProductionCloud-Native: A New Ecosystem for Putting Containers into Production
Cloud-Native: A New Ecosystem for Putting Containers into Production
 
DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018DevSecOps: The Open Source Way for CloudExpo 2018
DevSecOps: The Open Source Way for CloudExpo 2018
 
AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018AI: The Good, the Bad, and the Practical for CloudExpo 2018
AI: The Good, the Bad, and the Practical for CloudExpo 2018
 
That's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native successThat's not a metric! Data for cloud-native success
That's not a metric! Data for cloud-native success
 
The Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing OperationsThe Interesting IoT: Digitizing Operations
The Interesting IoT: Digitizing Operations
 
A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)A short history of packaging (Monkigras 2017)
A short history of packaging (Monkigras 2017)
 
Optimizing the Ops in DevOps
Optimizing the Ops in DevOpsOptimizing the Ops in DevOps
Optimizing the Ops in DevOps
 
Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.Containers: Don't Skeu Them Up. Use Microservices Instead.
Containers: Don't Skeu Them Up. Use Microservices Instead.
 
Fail Fast, Fail Often
Fail Fast, Fail OftenFail Fast, Fail Often
Fail Fast, Fail Often
 
The New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing YetThe New Platform: You Ain't Seen Nothing Yet
The New Platform: You Ain't Seen Nothing Yet
 
The New Open Distributed Application Architecture
The New Open Distributed Application ArchitectureThe New Open Distributed Application Architecture
The New Open Distributed Application Architecture
 

Dernier

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Zilliz
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Bhuvaneswari Subramani
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 

Dernier (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Ten layers of container security for CloudCamp Nov 2017

  • 1. TEN LAYERS OF CONTAINER SECURITY Gordon Haff Technology Evangelist, Red Hat CloudCamp, South San Francisco: Nov. 2017 @ghaff
  • 2. WHO AM I? ● Evangelist for emerging technologies and practices at Red Hat ● Co-author of From Pots and Vats to Programs and Apps (download for free at https://goo.gl/FSfgky) ● Former IT industry analyst ● Former big system guy ● Website: http://www.bitmasons.com
  • 3. MANA Reuse AutomationMicroservices Immutability Pervasive access Speed Rapid tech churn Flexible deploys Containers Software-defined MANAGED RISK Dev Ops
  • 4. It depends on who you ask... 4 WHAT ARE CONTAINERS? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS
  • 5. Open source, Leadership, and Standards 5 THE COMMUNITY LANDSCAPE ● Docker/Moby ● Kubernetes/OpenShift ● OCI Specifications ● Cloud Native Technical Leadership The landscape is made up of committees, standards bodies, and open source projects:
  • 6. 6 6. Container Platform 7. Network Isolation 8. Storage 9. API Management 10. Federated Clusters 1. Container Host 2. Container Content 3. Container Registries 4. Building Containers 5. Deploying Containers SECURING CONTAINERS: LAYERS, LIFECYCLE, AND AUTOMATION
  • 7. A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel. 7 CONTAINER HOST & MULTI-TENANCY THE OS MATTERS SELinux 1 Kernel namespaces Cgroups Seccomp THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS R/O Mounts
  • 8. 8 SELINUX - MAC - MCS1 ● SElinux is a LABELING system ● Every Process has a Label ● Every file, Directory, System object has a Label ● Policy rules control access between labeled processes and labeled objects ● The Kernel enforces the rules
  • 9. 9 Cgroups - Resource Isolation1 CPU Memory Network Storage / IO Container 1 slice Container 2 slice
  • 10. 10 SECCOMP - REMOVE PRIVILEGES FROM CONTAINERS 1 Most privileges are not needed to run most applications. For example, CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL ….
  • 11. 11 ● Are there known vulnerabilities in the application layer? ● Are the runtime and OS layers up to date? ● How frequently will the container be updated and how will I know when it’s updated? CONTENT: USE TRUSTED SOURCES2
  • 12. HOST OS CONTAINER OS RUNTIME APP 12 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there processes to maintain currency? ● Are there access controls on the registry? How strong are they? PRIVATE REGISTRIES: SECURE ACCESS TO IMAGES 3
  • 13. 13 Security & continuous integration ● Layered packaging model supports separation of concerns ● Integrate security testing into your build / CI process ● Use automated policies to flag builds with issues ● Trigger automated rebuilds MANAGING CONTAINER BUILDS Operations Architects Application developers 4
  • 14. 14 Security & continuous deployment ● Monitor image registry to automatically replace affected images ● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment MANAGING CONTAINER DEPLOYMENT5
  • 15. 15 Use a container orchestration platform with integrated security features including ● Role-based Access Controls with LDAP and OAuth2 integration ● Platform multitenant security ● Image signing (3.6) ● Secrets management ● Enable integration with the security ecosystem SECURING THE CONTAINER PLATFORM6
  • 16. 16 ● Log (most) things ● Alarm few things ● Establish relevant metrics ● Root cause analysis (reactive) ● Detect patterns/trends (proactive) ● Context and distributions matter ● Incentives drive behavior SECURING THE CONTAINER PLATFORM: MONITORING, ALERTS, AND METRICS 6
  • 17. 17 Use network namespaces to ● Isolate applications from other applications within a cluster ● Isolate environments (Dev / Test / Prod) from other environments within a cluster NETWORK DEFENSE7
  • 18. 18 Secure storage by using ● SELinux access controls ● Secure mounts ● Supplemental group IDs for shared storage ATTACHED STORAGE8
  • 19. 19 STORAGE ISOLATION8 SCC access Layer supplementalGroups fsGroup runAsUserseLinuxOption Create app with storage Check for UID/GIDfor access to shared storage? Is the pod’s "file system group" ID correct for the block storage? Is the seLinuxContext user, role,type set and is this user allowed to mount it? What is the RunAsUser or MustRunAsRange?
  • 20. 20 Container platform & application APIs ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API MANAGEMENT9
  • 21. 21 Securing federated clusters across data centers or environments ● Authentication and authorization ● API endpoints ● Secrets ● Namespaces FEDERATED CLUSTERS (coming) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 10
  • 22. 22 FEDERATED CLUSTERS (coming) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 10 API Repl Ctrl Ubernetes state API Repl Ctrl Kubernetes Cluster state API Repl Ctrl Kubernetes Cluster state
  • 23. 23 For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as THE SECURITY ECOSYSTEM ● Identity and Access management / Privileged Access Management ● External Certificate Authorities ● External Vaults / Key Management solutions ● Container content scanners & vulnerability management tools ● Container runtime analysis tools ● Security Information and Event Monitoring (SIEM)
  • 24. 24 BRINGING IT ALL TOGETHER Container Business Automation Container Integration Container Data & Storage Contaner Web & Mobile OpenShift Application Lifecycle Management (CI/CD) Build Automation Deployment Automation Service Catalog (Language Runtimes, Middleware, Databases) Self-Service Infrastructure Automation & Cockpit Networking Storage Registry Logs & Metrics Security Container Orchestration & Cluster Management (kubernetes) Container Runtime & Packaging (Docker) Enterprise Container Host Red Hat Enterprise LinuxAtomic Host Physical Virtual Private cloud Public cloud