TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
Ten layers of container security for CloudCamp Nov 2017
1. TEN LAYERS OF CONTAINER SECURITY
Gordon Haff
Technology Evangelist, Red Hat
CloudCamp, South San Francisco: Nov. 2017
@ghaff
2. WHO AM I?
● Evangelist for emerging technologies
and practices at Red Hat
● Co-author of From Pots and Vats to
Programs and Apps (download for free
at https://goo.gl/FSfgky)
● Former IT industry analyst
● Former big system guy
● Website: http://www.bitmasons.com
4. It depends on who you ask...
4
WHAT ARE CONTAINERS?
● Sandboxed application
processes on a shared Linux
OS kernel
● Simpler, lighter, and denser
than virtual machines
● Portable across different
environments
● Package my application and all
of its dependencies
● Deploy to any environment in
seconds and enable CI/CD
● Easily access and share
containerized components
INFRASTRUCTURE APPLICATIONS
5. Open source, Leadership, and Standards
5
THE COMMUNITY LANDSCAPE
● Docker/Moby
● Kubernetes/OpenShift
● OCI Specifications
● Cloud Native Technical
Leadership
The landscape is made up
of committees, standards
bodies, and open source
projects:
7. A stable, reliable host environment with built-in
security features that allow you to isolate containers
from other containers and from the kernel.
7
CONTAINER HOST & MULTI-TENANCY
THE OS MATTERS
SELinux
1
Kernel namespaces Cgroups Seccomp
THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS
R/O Mounts
8. 8
SELINUX - MAC - MCS1
● SElinux is a LABELING system
● Every Process has a Label
● Every file, Directory, System object has a Label
● Policy rules control access between labeled processes and labeled
objects
● The Kernel enforces the rules
10. 10
SECCOMP - REMOVE PRIVILEGES FROM
CONTAINERS
1
Most privileges are not needed to
run most applications. For
example,
CAP_SETPCAP
CAP_SYS_MODULE
CAP_SYS_RAWIO
CAP_SYS_PACCT
CAP_SYS_NICE
CAP_SYS_RESOURCE
CAP_SYS_TIME
CAP_SYS_TTY_CONFIG
CAP_AUDIT_WRITE
CAP_AUDIT_CONTROL
….
11. 11
● Are there known vulnerabilities
in the application layer?
● Are the runtime and OS layers
up to date?
● How frequently will the container
be updated and how will I know
when it’s updated?
CONTENT: USE TRUSTED SOURCES2
12. HOST OS
CONTAINER
OS
RUNTIME
APP
12
Image governance and private registries
● What security meta-data is available for
your images?
● Are the images in the registry updated
regularly?
● Are there processes to maintain
currency?
● Are there access controls on the
registry? How strong are they?
PRIVATE REGISTRIES:
SECURE ACCESS TO IMAGES
3
13. 13
Security & continuous integration
● Layered packaging model
supports separation of
concerns
● Integrate security testing into
your build / CI process
● Use automated policies to flag
builds with issues
● Trigger automated rebuilds
MANAGING CONTAINER BUILDS
Operations Architects Application
developers
4
14. 14
Security & continuous deployment
● Monitor image registry to
automatically replace affected
images
● Use policies to gate what can be
deployed: e.g. if a container
requires root access, prevent
deployment
MANAGING CONTAINER DEPLOYMENT5
15. 15
Use a container orchestration platform with
integrated security features including
● Role-based Access Controls with
LDAP and OAuth2 integration
● Platform multitenant security
● Image signing (3.6)
● Secrets management
● Enable integration with the security
ecosystem
SECURING THE CONTAINER PLATFORM6
16. 16
● Log (most) things
● Alarm few things
● Establish relevant metrics
● Root cause analysis (reactive)
● Detect patterns/trends (proactive)
● Context and distributions matter
● Incentives drive behavior
SECURING THE CONTAINER PLATFORM:
MONITORING, ALERTS, AND METRICS
6
17. 17
Use network namespaces to
● Isolate applications from
other applications within a
cluster
● Isolate environments (Dev /
Test / Prod) from other
environments within a cluster
NETWORK DEFENSE7
18. 18
Secure storage by using
● SELinux access controls
● Secure mounts
● Supplemental group IDs for
shared storage
ATTACHED STORAGE8
19. 19
STORAGE ISOLATION8
SCC access Layer
supplementalGroups fsGroup runAsUserseLinuxOption
Create app with
storage
Check for UID/GIDfor
access to shared storage?
Is the pod’s "file system
group" ID correct for
the block storage?
Is the seLinuxContext
user, role,type set and
is this user allowed to
mount it?
What is the RunAsUser
or MustRunAsRange?
21. 21
Securing federated clusters
across data centers or
environments
● Authentication and
authorization
● API endpoints
● Secrets
● Namespaces
FEDERATED CLUSTERS (coming)
ROLES & ACCESS MANAGEMENT
Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016
10
22. 22
FEDERATED CLUSTERS (coming)
ROLES & ACCESS MANAGEMENT
Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016
10
API
Repl Ctrl
Ubernetes
state
API
Repl Ctrl
Kubernetes Cluster
state
API
Repl Ctrl
Kubernetes Cluster
state
23. 23
For enhanced security, or to meet existing policies, integrate with
enterprise security tools, such as
THE SECURITY ECOSYSTEM
● Identity and Access management / Privileged Access
Management
● External Certificate Authorities
● External Vaults / Key Management solutions
● Container content scanners & vulnerability management tools
● Container runtime analysis tools
● Security Information and Event Monitoring (SIEM)
24. 24
BRINGING IT ALL TOGETHER
Container
Business
Automation
Container
Integration
Container
Data &
Storage
Contaner
Web &
Mobile
OpenShift Application Lifecycle Management
(CI/CD)
Build Automation Deployment Automation
Service Catalog
(Language Runtimes, Middleware, Databases)
Self-Service
Infrastructure Automation & Cockpit
Networking Storage Registry
Logs &
Metrics
Security
Container Orchestration & Cluster Management
(kubernetes)
Container Runtime & Packaging
(Docker)
Enterprise Container Host
Red Hat Enterprise LinuxAtomic Host
Physical
Virtual
Private cloud
Public cloud