Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Container security

Alex Khaerov
September 24, 2019

Container security

Alex Khaerov

September 24, 2019
Tweet

More Decks by Alex Khaerov

Other Decks in Programming

Transcript

  1. быть безопасными?
    Могут ли контейнеры
    hayorov
    Alex Khaerov

    View full-size slide

  2. @hayorov
    @hayorov
    Привет ✋

    View full-size slide

  3. @hayorov
    Alex Khaerov
    company
    who I am
    Development Lead
    @hayorov

    View full-size slide

  4. @hayorov
    Alex Khaerov
    company
    who I am
    Development Lead
    doing software development in the recent decade
    junior speaker - Python, Kubernetes
    committee member (Moscow Python, Helm Summit)
    a huge fan of laptop stickers and a cyclist
    @hayorov

    View full-size slide

  5. @hayorov
    Chainstack
    multi-cloud and multi-blockchain platform as a service
    based in Singapore # and hiring
    Alex Khaerov
    company
    who I am
    Development Lead
    doing software development in the recent decade
    junior speaker - Python, Kubernetes
    committee member (Moscow Python, Helm Summit)
    a huge fan of laptop stickers and a cyclist
    @hayorov

    View full-size slide

  6. @hayorov

    I am NOT

    View full-size slide

  7. @hayorov

    I am NOT
    - Linux kernel developer;
    - Security researcher;
    - DevSecOps.

    View full-size slide

  8. @hayorov

    I am NOT
    - Linux kernel developer;
    - Security researcher;
    - DevSecOps.
    I am a typical customer of containers.

    View full-size slide

  9. @hayorov
    My Cluster
    Company A
    Container
    Company B
    Container
    Company C
    Container

    View full-size slide

  10. @hayorov
    My Cluster
    Company A
    Container
    Company B
    Container
    Company C
    Container

    View full-size slide

  11. @hayorov
    My Cluster
    Company A
    Container
    Company B
    Container
    Company C
    Container

    View full-size slide

  12. @hayorov
    My Cluster
    Company A
    Container
    Company B
    Container
    Company C
    Container
    Container

    View full-size slide

  13. @hayorov
    My Cluster
    Company A
    Container
    Company B
    Container
    Company C
    Container
    Container

    View full-size slide

  14. @hayorov
    cs-gcp-apac-1

    View full-size slide

  15. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P

    View full-size slide

  16. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    Company B
    S
    P
    Company C
    S
    P

    View full-size slide

  17. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    Company B
    S
    P
    Company C
    S
    P

    View full-size slide

  18. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P

    View full-size slide

  19. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P

    View full-size slide

  20. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P
    Ext

    View full-size slide

  21. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P
    Ext

    View full-size slide

  22. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P
    Ext
    Ext

    View full-size slide

  23. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P
    Ext
    Ext
    S

    View full-size slide

  24. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P
    Ext
    P
    Ext
    S

    View full-size slide

  25. @hayorov
    cs-gcp-apac-1
    Company A
    S
    P
    hub.docker.com
    I I I
    from anywhere
    Ext Ext Ext
    Company B
    S
    P
    Company C
    S
    P
    Ext
    P
    Ext
    S

    View full-size slide

  26. @hayorov
    KEEP CALM
    https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/

    View full-size slide

  27. @hayorov
    KEEP CALM
    https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
    2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3

    View full-size slide

  28. @hayorov
    KEEP CALM
    https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
    2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3
    2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

    View full-size slide

  29. @hayorov
    KEEP CALM
    https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
    ... allows a malicious container to (with minimal user interaction) overwrite
    the host runc binary and thus gain root-level code execution on the host.
    The level of user interaction is being able to run any command ... as root ...
    2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3
    2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

    View full-size slide

  30. @hayorov
    KEEP CALM
    https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
    ... allows a malicious container to (with minimal user interaction) overwrite
    the host runc binary and thus gain root-level code execution on the host.
    The level of user interaction is being able to run any command ... as root ...
    affected: Debian, Docker, Debian, Red Hat, Ubuntu, AWS, GCP, Azure …
    2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3
    2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

    View full-size slide

  31. @hayorov
    KEEP CALM
    https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
    ... allows a malicious container to (with minimal user interaction) overwrite
    the host runc binary and thus gain root-level code execution on the host.
    The level of user interaction is being able to run any command ... as root ...
    affected: Debian, Docker, Debian, Red Hat, Ubuntu, AWS, GCP, Azure …
    2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3
    ...for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on
    container restart, or if the image was previously pulled to the node.
    If the pod specified mustRunAsNonRoot: true, the kubelet will refuse
    to start the container as root. If the pod did not specify
    mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
    2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

    View full-size slide

  32. @hayorov
    KEEP CALM
    https://www.twistlock.com/labs-blog/breaking-docker-via-runc-explaining-cve-2019-5736/
    ... allows a malicious container to (with minimal user interaction) overwrite
    the host runc binary and thus gain root-level code execution on the host.
    The level of user interaction is being able to run any command ... as root ...
    affected: Debian, Docker, Debian, Red Hat, Ubuntu, AWS, GCP, Azure …
    2019-02-11 CVE-2019-5736 Breaking out of Docker via runC Score 9.3
    ...for pods that do not specify an explicit runAsUser attempt to run as uid 0 (root) on
    container restart, or if the image was previously pulled to the node.
    If the pod specified mustRunAsNonRoot: true, the kubelet will refuse
    to start the container as root. If the pod did not specify
    mustRunAsNonRoot: true, the kubelet will run the container as uid 0.
    affected: kubernetes v1.13.6 and v1.14.2
    2019-08-28 CVE-2019-11245 Containers attempt to run as uid 0 Score 7.8

    View full-size slide

  33. @hayorov
    The History

    View full-size slide

  34. @hayorov
    The History
    1970s
    Unix v7, chroot

    View full-size slide

  35. @hayorov
    The History
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails

    View full-size slide

  36. @hayorov
    The History
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones

    View full-size slide

  37. @hayorov
    The History
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ

    View full-size slide

  38. @hayorov
    The History
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups

    View full-size slide

  39. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups

    View full-size slide

  40. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker

    View full-size slide

  41. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker

    View full-size slide

  42. @hayorov
    Hardware
    dockerd

    View full-size slide

  43. @hayorov
    Hardware
    runC
    shim
    containerd
    dockerd

    View full-size slide

  44. @hayorov
    Hardware
    cgroups namespaces
    capabilities AppArmor SELinux seccomp
    FS
    Hardware
    Linux Kernel
    runC
    shim
    containerd
    dockerd

    View full-size slide

  45. @hayorov
    Hardware
    cgroups namespaces
    capabilities AppArmor SELinux seccomp
    FS
    Hardware
    Linux Kernel
    runC
    shim
    containerd
    dockerd

    View full-size slide

  46. @hayorov
    Hardware
    cgroups namespaces
    capabilities AppArmor SELinux seccomp
    FS
    Hardware
    Linux Kernel
    runC
    shim
    containerd
    dockerd
    namespaces
    provide a layer of isolation

    PID for managing network interfaces.
    IPC for managing access to IPC resources.
    MNT for managing filesystem mount points.
    UTS for isolating kernel and version identifiers.

    View full-size slide

  47. @hayorov
    Hardware
    cgroups namespaces
    capabilities AppArmor SELinux seccomp
    FS
    Hardware
    Linux Kernel
    runC
    shim
    containerd
    dockerd
    namespaces
    provide a layer of isolation

    PID for managing network interfaces.
    IPC for managing access to IPC resources.
    MNT for managing filesystem mount points.
    UTS for isolating kernel and version identifiers.
    cgroups
    share available hardware resources to containers


    Memory
    CPU
    Block IO
    Devices
    Network

    View full-size slide

  48. @hayorov
    Hardware
    cgroups namespaces
    capabilities AppArmor SELinux seccomp
    FS
    Hardware
    Linux Kernel
    runC
    shim
    containerd
    dockerd
    namespaces
    provide a layer of isolation

    PID for managing network interfaces.
    IPC for managing access to IPC resources.
    MNT for managing filesystem mount points.
    UTS for isolating kernel and version identifiers.
    cgroups
    share available hardware resources to containers


    Memory
    CPU
    Block IO
    Devices
    Network

    View full-size slide

  49. @hayorov
    Hardware
    cgroups namespaces
    capabilities AppArmor SELinux seccomp
    FS
    Hardware
    Linux Kernel
    runC
    shim
    containerd
    dockerd
    namespaces
    provide a layer of isolation

    PID for managing network interfaces.
    IPC for managing access to IPC resources.
    MNT for managing filesystem mount points.
    UTS for isolating kernel and version identifiers.
    cgroups
    share available hardware resources to containers


    Memory
    CPU
    Block IO
    Devices
    Network
    AppArmor

    allows to restrict programs capabilities 

    with per-program profiles.

    seccomp used for filtering syscalls 

    issued by a program.

    capabilties

    for performing permission checks

    View full-size slide

  50. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker

    View full-size slide

  51. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker
    2015
    OCI, runC

    View full-size slide

  52. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker
    2015
    OCI, runC
    2016
    CRI-O

    View full-size slide

  53. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker
    2015
    OCI, runC
    2016
    CRI-O
    2016
    rkt

    View full-size slide

  54. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker
    2015
    OCI, runC
    2016
    CRI-O
    2016
    rkt

    View full-size slide

  55. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker
    2015
    OCI, runC
    2017
    Kata Containers
    2016
    CRI-O
    2016
    rkt

    View full-size slide

  56. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker
    2015
    OCI, runC
    2017
    Kata Containers
    2018
    gVisor
    2016
    CRI-O
    2016
    rkt

    View full-size slide

  57. @hayorov
    The History
    2008
    namespaces, LXC
    1970s
    Unix v7, chroot
    2000
    FreeBSD, Jails
    2004
    Solaris, Zones
    2005
    Open VZ
    2006
    Linux cgroups
    2013
    Docker
    2015
    OCI, runC
    2017
    Kata Containers
    2018
    gVisor
    2016
    CRI-O
    2018
    Firecracker
    2016
    rkt

    View full-size slide

  58. @hayorov
    VMs vs Containers
    * Only Type II VMM needs to run on operating system.

    View full-size slide

  59. @hayorov
    Attacks via the Kernel
    Kernel
    Container
    Node host

    View full-size slide

  60. @hayorov
    Attacks via the Kernel
    Kernel
    Container
    Node host

    View full-size slide

  61. @hayorov
    Attacks via the Kernel
    Kernel
    Container
    Node host
    Escape!

    View full-size slide

  62. @hayorov
    Isolation ≠ Secure
    Attacks via the Kernel
    Kernel
    Container
    Node host
    Escape!

    View full-size slide

  63. @hayorov
    We want it all …
    secured zero config lightweight

    View full-size slide

  64. @hayorov
    gVisor
    Sandbox for
    Containers
    Independent user
    space kernel
    Container
    gVisor
    Kernel
    Independent user
    Hardware
    Limited System Calls
    System Calls
    Strong Isolation

    View full-size slide

  65. @hayorov
    Architecture

    View full-size slide

  66. @hayorov
    Architecture
    OCI

    View full-size slide

  67. @hayorov
    Architecture
    runsc
    OCI

    View full-size slide

  68. @hayorov
    Architecture
    runsc OCI runtime powered by gVisor
    OCI

    View full-size slide

  69. @hayorov
    Sandbox
    Architecture
    runsc OCI runtime powered by gVisor
    OCI

    View full-size slide

  70. @hayorov
    Sandbox
    Architecture
    Container
    Sentry
    (emulated
    Linux Kernel)
    runsc OCI runtime powered by gVisor
    OCI

    View full-size slide

  71. @hayorov
    Sandbox
    Architecture
    Container
    Sentry
    (emulated
    Linux Kernel)
    runsc
    User
    Kernel
    OCI runtime powered by gVisor
    OCI

    View full-size slide

  72. @hayorov
    Sandbox
    Architecture
    Container
    Sentry
    (emulated
    Linux Kernel)
    KVM seccomp + ns
    Host Linux Kernel
    runsc
    User
    Kernel
    OCI runtime powered by gVisor
    OCI

    View full-size slide

  73. @hayorov
    Sandbox
    Architecture
    Container
    Sentry
    (emulated
    Linux Kernel)
    KVM seccomp + ns
    Host Linux Kernel
    runsc
    User
    Kernel
    OCI runtime powered by gVisor
    OCI

    View full-size slide

  74. @hayorov
    Sandbox
    Architecture
    Container
    Sentry
    (emulated
    Linux Kernel)
    KVM seccomp + ns
    Host Linux Kernel
    runsc
    User
    Kernel
    Gofer
    9P
    OCI runtime powered by gVisor
    OCI

    View full-size slide

  75. @hayorov
    Sandbox
    Architecture
    Container
    Sentry
    (emulated
    Linux Kernel)
    KVM seccomp + ns
    Host Linux Kernel
    runsc
    User
    Kernel
    Gofer
    9P
    OCI runtime powered by gVisor
    OCI

    View full-size slide

  76. @hayorov
    How to start
    • Locally (macOS Docker)

    View full-size slide

  77. @hayorov
    How to start
    • Locally (macOS Docker)
    $ wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc

    View full-size slide

  78. @hayorov
    How to start
    • Locally (macOS Docker)
    $ wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
    $ cat ~/.docker/daemon.json (taskbar > Preferences > Daemon > Advanced)

    View full-size slide

  79. @hayorov
    How to start
    • Locally (macOS Docker)
    $ wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
    "default-runtime": "runc",
    "runtimes": {
    "runsc": {
    "path": “/usr/allexx/foo/runsc“
    }
    }
    $ cat ~/.docker/daemon.json (taskbar > Preferences > Daemon > Advanced)

    View full-size slide

  80. @hayorov
    How to start
    • Locally (macOS Docker)
    $ wget https://storage.googleapis.com/gvisor/releases/nightly/latest/runsc
    "default-runtime": "runc",
    "runtimes": {
    "runsc": {
    "path": “/usr/allexx/foo/runsc“
    }
    }
    $ docker run --rm --runtime=runsc -it alpine
    $ cat ~/.docker/daemon.json (taskbar > Preferences > Daemon > Advanced)

    View full-size slide

  81. @hayorov
    How to start
    • GKE (managed Kubernetes)

    View full-size slide

  82. @hayorov
    How to start
    • GKE (managed Kubernetes)
    Create a new node pool
    gcloud beta container node-pools create [NODE_POOL_NAME] \
    --cluster=[CLUSTER_NAME] \
    --node-version=[NODE_VERSION] \
    --image-type=cos_containerd \
    --sandbox type=gvisor \

    View full-size slide

  83. @hayorov
    How to start
    • GKE (managed Kubernetes)
    Create a new node pool
    gcloud beta container node-pools create [NODE_POOL_NAME] \
    --cluster=[CLUSTER_NAME] \
    --node-version=[NODE_VERSION] \
    --image-type=cos_containerd \
    --sandbox type=gvisor \
    $ kubectl get runtimeclasses
    NAME AGE
    gvisor 19s

    View full-size slide

  84. @hayorov
    How to start
    • GKE (managed Kubernetes)
    https: //cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods

    View full-size slide

  85. @hayorov
    How to start
    • GKE (managed Kubernetes)
    Running an application
    kind: Deployment
    metadata:
    name: httpd
    spec:
    replicas: 1
    selector:
    matchLabels:
    app: httpd
    template:
    metadata:
    labels:
    app: httpd
    spec:
    runtimeClassName: gvisor
    containers:
    - name: httpd
    image: httpd
    https: //cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods

    View full-size slide

  86. @hayorov
    How to start
    • GKE (managed Kubernetes)
    Running an application
    kind: Deployment
    metadata:
    name: httpd
    spec:
    replicas: 1
    selector:
    matchLabels:
    app: httpd
    template:
    metadata:
    labels:
    app: httpd
    spec:
    runtimeClassName: gvisor
    containers:
    - name: httpd
    image: httpd
    Enable raw sockets
    spec:
    containers:
    - name: my-container
    securityContext:
    capabilities:
    add: ["NET_RAW"]
    https: //cloud.google.com/kubernetes-engine/docs/how-to/sandbox-pods

    View full-size slide

  87. @hayorov
    Applicability and performance
    https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

    View full-size slide

  88. @hayorov
    Applicability and performance
    • Of 330 syscalls, 233 syscalls have a full or partial implementation.
    https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

    View full-size slide

  89. @hayorov
    Applicability and performance
    • Of 330 syscalls, 233 syscalls have a full or partial implementation.
    elasticsearch golang java8 jenkins mariadb memcached mongo
    nginx node php postgres prometheus python
    https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

    View full-size slide

  90. @hayorov
    Applicability and performance
    • Of 330 syscalls, 233 syscalls have a full or partial implementation.
    elasticsearch golang java8 jenkins mariadb memcached mongo
    nginx node php postgres prometheus python
    elasticsearch golang java8 jenkins mariadb memcached mongo
    nginx node php postgres prometheus python
    https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

    View full-size slide

  91. @hayorov
    Applicability and performance
    • Of 330 syscalls, 233 syscalls have a full or partial implementation.
    • Performance 


    CPU (events/sec) no diff Startup time (ms) no diff
    Mem (usage, MB) 35Mb Net (rps) -50%

    … small operations (I/O) impose a large overhead.
    elasticsearch golang java8 jenkins mariadb memcached mongo
    nginx node php postgres prometheus python
    elasticsearch golang java8 jenkins mariadb memcached mongo
    nginx node php postgres prometheus python
    https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf

    View full-size slide

  92. @hayorov
    Applicability and performance
    • Of 330 syscalls, 233 syscalls have a full or partial implementation.
    • Performance 


    CPU (events/sec) no diff Startup time (ms) no diff
    Mem (usage, MB) 35Mb Net (rps) -50%

    … small operations (I/O) impose a large overhead.
    elasticsearch golang java8 jenkins mariadb memcached mongo
    nginx node php postgres prometheus python
    elasticsearch golang java8 jenkins mariadb memcached mongo
    nginx node php postgres prometheus python
    https: // www.usenix.org/system/files/hotcloud19-paper-young.pdf
    • NO direct access to hardware or virtualization (no GPU)

    View full-size slide

  93. быть безопасными?
    Могут ли контейнеры

    View full-size slide

  94. @hayorov
    CVE-2017-1002101: Host-resolved symlinks
    Kernel
    Container
    Volume Volume
    Node host
    Escape!

    View full-size slide

  95. быть безопасными?
    Могут ли контейнеры
    скорее нет

    View full-size slide

  96. @hayorov
    So Now What?

    View full-size slide

  97. @hayorov
    So Now What?
    • Configure a security context (runAsUser != 0)

    View full-size slide

  98. @hayorov
    So Now What?
    • Configure a security context (runAsUser != 0)
    • Keep your software Up-to-date (OS, runtime, Kubernetes)

    View full-size slide

  99. @hayorov
    So Now What?
    • Configure a security context (runAsUser != 0)
    • Discover Falco to start monitoring abnormal activities of your (GKE-compatible)
    • Keep your software Up-to-date (OS, runtime, Kubernetes)

    View full-size slide

  100. @hayorov
    So Now What?
    • Setup “sandboxed nodepool” with gVisor for the riskiest workload
    • Configure a security context (runAsUser != 0)
    • Discover Falco to start monitoring abnormal activities of your (GKE-compatible)
    • Keep your software Up-to-date (OS, runtime, Kubernetes)

    View full-size slide

  101. @hayorov
    So Now What?
    • Setup “sandboxed nodepool” with gVisor for the riskiest workload
    • Configure a security context (runAsUser != 0)
    • Discover Falco to start monitoring abnormal activities of your (GKE-compatible)
    • Learn about alternatives: Kata containers and Firecracker MicroVMs
    • Keep your software Up-to-date (OS, runtime, Kubernetes)

    View full-size slide

  102. @hayorov
    So Now What?
    • Setup “sandboxed nodepool” with gVisor for the riskiest workload
    • Configure a security context (runAsUser != 0)
    • Discover Falco to start monitoring abnormal activities of your (GKE-compatible)
    • Learn about alternatives: Kata containers and Firecracker MicroVMs
    • Use dedicated instances (VMs, Bare Metal) or services in special cases
    • Keep your software Up-to-date (OS, runtime, Kubernetes)

    View full-size slide

  103. Thank you
    questions…

    Alex Khaerov
    t.me/hayorov
    http://bit.ly/xxx

    View full-size slide