Container security

быть безопасными? Могут ли контейнеры hayorov Alex Khaerov

@hayorov @hayorov Привет ✋

@hayorov Alex Khaerov company who I am Development Lead @hayorov

@hayorov Alex Khaerov company who I am Development Lead doing
software development in the recent decade junior speaker - Python, Kubernetes committee member (Moscow Python, Helm Summit) a huge fan of laptop stickers and a cyclist @hayorov

@hayorov Chainstack multi-cloud and multi-blockchain platform as a service based
in Singapore # and hiring Alex Khaerov company who I am Development Lead doing software development in the recent decade junior speaker - Python, Kubernetes committee member (Moscow Python, Helm Summit) a huge fan of laptop stickers and a cyclist @hayorov

@hayorov

@hayorov I am NOT

@hayorov I am NOT - Linux kernel developer; - Security
researcher; - DevSecOps.

@hayorov I am NOT - Linux kernel developer; - Security
researcher; - DevSecOps. I am a typical customer of containers.

@hayorov My Cluster Company A Container Company B Container Company
C Container

@hayorov My Cluster Company A Container Company B Container Company
C Container Container

@hayorov

@hayorov cs-gcp-apac-1

@hayorov cs-gcp-apac-1 Company A S P

@hayorov cs-gcp-apac-1 Company A S P Company B S P
Company C S P

@hayorov cs-gcp-apac-1 Company A S P hub.docker.com I I I
Company B S P Company C S P

from anywhere Ext Ext Ext Company B S P Company C S P

from anywhere Ext Ext Ext Company B S P Company C S P Ext

from anywhere Ext Ext Ext Company B S P Company C S P Ext Ext

from anywhere Ext Ext Ext Company B S P Company C S P Ext Ext S

from anywhere Ext Ext Ext Company B S P Company C S P Ext P Ext S

@hayorov KEEP CALM https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/

@hayorov KEEP CALM https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/ 2019-02-11 CVE-2019-5736 Breaking out of Docker
via runC Score 9.3

@hayorov KEEP CALM https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/ 2019-02-11 CVE-2019-5736 Breaking out of Docker
via runC Score 9.3 2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

@hayorov KEEP CALM https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/ ... allows a malicious container to
(with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root ... 2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3 2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

(with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root ... affected: Debian, Docker, Debian, Red Hat, Ubuntu, AWS, GCP, Azure … 2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3 2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

(with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root ... affected: Debian, Docker, Debian, Red Hat, Ubuntu, AWS, GCP, Azure … 2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3 ...for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0. 2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

(with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command ... as root ... affected: Debian, Docker, Debian, Red Hat, Ubuntu, AWS, GCP, Azure … 2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3 ...for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on container restart, or if the image was previously pulled to the node. If the pod specified mustRunAsNonRoot: true, the kubelet will refuse to start the container as root. If the pod did not specify mustRunAsNonRoot: true, the kubelet will run the container as uid 0. affected: kubernetes v1.13.6 and v1.14.2 2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

@hayorov The History

@hayorov The History 1970s Unix v7, chroot

@hayorov The History 1970s Unix v7, chroot 2000 FreeBSD, Jails

2004 Solaris, Zones

2004 Solaris, Zones 2005 Open VZ

2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups

@hayorov The History 2008 namespaces, LXC 1970s Unix v7, chroot
2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker

@hayorov

@hayorov Hardware dockerd

@hayorov Hardware runC shim containerd dockerd

@hayorov Hardware cgroups namespaces capabilities AppArmor SELinux seccomp FS Hardware
Linux Kernel runC shim containerd dockerd

Linux Kernel runC shim containerd dockerd namespaces provide a layer of isolation  PID for managing network interfaces. IPC for managing access to IPC resources. MNT for managing filesystem mount points. UTS for isolating kernel and version identifiers.

Linux Kernel runC shim containerd dockerd namespaces provide a layer of isolation  PID for managing network interfaces. IPC for managing access to IPC resources. MNT for managing filesystem mount points. UTS for isolating kernel and version identifiers. cgroups share available hardware resources to containers    Memory CPU Block IO Devices Network

Linux Kernel runC shim containerd dockerd namespaces provide a layer of isolation  PID for managing network interfaces. IPC for managing access to IPC resources. MNT for managing filesystem mount points. UTS for isolating kernel and version identifiers. cgroups share available hardware resources to containers    Memory CPU Block IO Devices Network AppArmor  allows to restrict programs capabilities   with per-program profiles.  seccomp used for filtering syscalls   issued by a program.  capabilties  for performing permission checks

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker 2015 OCI, runC

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker 2015 OCI, runC 2016 CRI-O

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker 2015 OCI, runC 2016 CRI-O 2016 rkt

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker 2015 OCI, runC 2017 Kata Containers 2016 CRI-O 2016 rkt

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker 2015 OCI, runC 2017 Kata Containers 2018 gVisor 2016 CRI-O 2016 rkt

2000 FreeBSD, Jails 2004 Solaris, Zones 2005 Open VZ 2006 Linux cgroups 2013 Docker 2015 OCI, runC 2017 Kata Containers 2018 gVisor 2016 CRI-O 2018 Firecracker 2016 rkt

@hayorov VMs vs Containers * Only Type II VMM needs
to run on operating system.

@hayorov Attacks via the Kernel Kernel Container Node host

@hayorov Attacks via the Kernel Kernel Container Node host Escape!

@hayorov Isolation ≠ Secure Attacks via the Kernel Kernel Container
Node host Escape!

@hayorov We want it all … secured zero conﬁg lightweight

@hayorov gVisor Sandbox for Containers Independent user space kernel Container
gVisor Kernel Independent user Hardware Limited System Calls System Calls Strong Isolation

@hayorov Architecture

@hayorov Architecture OCI

@hayorov Architecture runsc OCI

@hayorov Architecture runsc OCI runtime powered by gVisor OCI

@hayorov Sandbox Architecture runsc OCI runtime powered by gVisor OCI

@hayorov Sandbox Architecture Container Sentry (emulated Linux Kernel) runsc OCI
runtime powered by gVisor OCI

@hayorov Sandbox Architecture Container Sentry (emulated Linux Kernel) runsc User
Kernel OCI runtime powered by gVisor OCI

@hayorov Sandbox Architecture Container Sentry (emulated Linux Kernel) KVM seccomp
+ ns Host Linux Kernel runsc User Kernel OCI runtime powered by gVisor OCI

@hayorov Sandbox Architecture Container Sentry (emulated Linux Kernel) KVM seccomp
+ ns Host Linux Kernel runsc User Kernel Gofer 9P OCI runtime powered by gVisor OCI

@hayorov How to start • Locally (macOS Docker)

@hayorov How to start • Locally (macOS Docker) $ wget
https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc

https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc $ cat ~/.docker/daemon.json (taskbar > Preferences > Daemon > Advanced)

https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc "default-runtime": "runc", "runtimes": { "runsc": { "path": “/usr/allexx/foo/runsc“ } } $ cat ~/.docker/daemon.json (taskbar > Preferences > Daemon > Advanced)

https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc "default-runtime": "runc", "runtimes": { "runsc": { "path": “/usr/allexx/foo/runsc“ } } $ docker run --rm --runtime=runsc -it alpine $ cat ~/.docker/daemon.json (taskbar > Preferences > Daemon > Advanced)

@hayorov How to start • GKE (managed Kubernetes)

@hayorov How to start • GKE (managed Kubernetes) Create a
new node pool gcloud beta container node-pools create [NODE_POOL_NAME] \ --cluster=[CLUSTER_NAME] \ --node-version=[NODE_VERSION] \ --image-type=cos_containerd \ --sandbox type=gvisor \

@hayorov How to start • GKE (managed Kubernetes) Create a
new node pool gcloud beta container node-pools create [NODE_POOL_NAME] \ --cluster=[CLUSTER_NAME] \ --node-version=[NODE_VERSION] \ --image-type=cos_containerd \ --sandbox type=gvisor \ $ kubectl get runtimeclasses NAME AGE gvisor 19s

@hayorov How to start • GKE (managed Kubernetes) https: //cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods

@hayorov How to start • GKE (managed Kubernetes) Running an
application kind: Deployment metadata: name: httpd spec: replicas: 1 selector: matchLabels: app: httpd template: metadata: labels: app: httpd spec: runtimeClassName: gvisor containers: - name: httpd image: httpd https: //cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods

@hayorov How to start • GKE (managed Kubernetes) Running an
application kind: Deployment metadata: name: httpd spec: replicas: 1 selector: matchLabels: app: httpd template: metadata: labels: app: httpd spec: runtimeClassName: gvisor containers: - name: httpd image: httpd Enable raw sockets spec: containers: - name: my-container securityContext: capabilities: add: ["NET_RAW"] https: //cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods

@hayorov Applicability and performance https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

@hayorov Applicability and performance • Of 330 syscalls, 233 syscalls
have a full or partial implementation. https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

have a full or partial implementation. elasticsearch golang java8 jenkins mariadb memcached mongo nginx node php postgres prometheus python https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

have a full or partial implementation. elasticsearch golang java8 jenkins mariadb memcached mongo nginx node php postgres prometheus python elasticsearch golang java8 jenkins mariadb memcached mongo nginx node php postgres prometheus python https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

have a full or partial implementation. • Performance     CPU (events/sec) no diﬀ Startup time (ms) no diﬀ Mem (usage, MB) 35Mb Net (rps) -50%  … small operations (I/O) impose a large overhead. elasticsearch golang java8 jenkins mariadb memcached mongo nginx node php postgres prometheus python elasticsearch golang java8 jenkins mariadb memcached mongo nginx node php postgres prometheus python https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

have a full or partial implementation. • Performance     CPU (events/sec) no diﬀ Startup time (ms) no diﬀ Mem (usage, MB) 35Mb Net (rps) -50%  … small operations (I/O) impose a large overhead. elasticsearch golang java8 jenkins mariadb memcached mongo nginx node php postgres prometheus python elasticsearch golang java8 jenkins mariadb memcached mongo nginx node php postgres prometheus python https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf • NO direct access to hardware or virtualization (no GPU)

быть безопасными? Могут ли контейнеры

@hayorov CVE-2017-1002101: Host-resolved symlinks Kernel Container Volume Volume Node host
Escape!

быть безопасными? Могут ли контейнеры скорее нет

@hayorov So Now What?

@hayorov So Now What? • Configure a security context (runAsUser
!= 0)

!= 0) • Keep your software Up-to-date (OS, runtime, Kubernetes)

!= 0) • Discover Falco to start monitoring abnormal activities of your (GKE-compatible) • Keep your software Up-to-date (OS, runtime, Kubernetes)

@hayorov So Now What? • Setup “sandboxed nodepool” with gVisor
for the riskiest workload • Configure a security context (runAsUser != 0) • Discover Falco to start monitoring abnormal activities of your (GKE-compatible) • Keep your software Up-to-date (OS, runtime, Kubernetes)

for the riskiest workload • Configure a security context (runAsUser != 0) • Discover Falco to start monitoring abnormal activities of your (GKE-compatible) • Learn about alternatives: Kata containers and Firecracker MicroVMs • Keep your software Up-to-date (OS, runtime, Kubernetes)

for the riskiest workload • Configure a security context (runAsUser != 0) • Discover Falco to start monitoring abnormal activities of your (GKE-compatible) • Learn about alternatives: Kata containers and Firecracker MicroVMs • Use dedicated instances (VMs, Bare Metal) or services in special cases • Keep your software Up-to-date (OS, runtime, Kubernetes)

Thank you questions… Alex Khaerov t.me/hayorov http://bit.ly/xxx

Container security

Container security

More Decks by Alex Khaerov

Other Decks in Programming

Featured

Transcript