to get software to run reliably when moved from one computing environment to another. This could be from a developer's laptop to a test environments, from a staging into production, or maybe even from a physical data center to public cloud. Container consists of an entire runtime environment: an application, plus all its dependencies, libraries and other binaries, needed to run it, bundled into one package. Container shares the operating system kernel with the other containers.
safer by default while also making the application lifecycle faster and leaner. Some security benefits of containers include smaller surface area for attacks, shorter lifespan (of particular deployed version) and generally more automated processes around development and deployment. In most cases containers should be considered ephemeral and stateless.
Linux Kernel Namespaces (providing isolation, but can also be shared) § Linux Control Groups (resource limitations) § Linux Capabilities (privileges beyond root/non-root) § Can leverage AppArmor, SELinux etc. Containers are, by default, quite secure. Especially if you take care of running your processes inside the containers as non-privileged user.
host and only allow access via known private network. Limit SSH access to your cluster / nodes. Watch out for privileged containers. If you need to have some privileged containers and you run on Kubernetes use DenyEscalatingExec admission controller to deny exec and attach commands.
it the version we wanted and has somebody modified it? § Scan for vulnerabilities (CVE database includes around 90k) using something like Clair. Different researches have shown that around 20% of public images contain significant vulnerabilities. § Depending on your environment you might want to always pull images not to share them with other containers on host § Use ImagePolicyWebhook admission controller on Kubernetes Smaller images usually means less vulnerabilities. Software can’t be vulnerable if it’s not installed. Have any sensitive data been stored in the image?
it must. Running different applications on the same cluster creates a risk of one compromised application attacking a neighboring application. Kubernetes provides NetworkPolicy resource for label based specification of ingress traffic rules for pods / containers. As an alternative or if you require more control look into security capabilities of other overlay network providers like Project Calico. Service meshes like Istio can provide additional layer of security by securing service to service communication by automating key management of mTLS or alike.
system in risk of Denial of Service or “noisy neighbor” scenarios. Kubernetes allows to define resource quota policies in order to limit the CPU and memory a pod (container) is allowed to consume.
potential attack as containers are mostly ephemeral and stateless. Log everything and collect logs to a central location for easy correlation and analysis. Think about how to snapshot problematic containers using filesystem tools or docker commit What do you need to backup and what is your disaster recovery plan?
images for vulnerabilities § Stop privilege escalation § Enable only Capabilities that are required § Enforce network isolation § Protect host resources § Encrypt sensitive information § Enforce use of automation tools § Provide visibility across environments
for Docker and Kubernetes and tools have been built for validating setups against the benchmarks. https://github.com/aquasecurity/kube-bench https://github.com/docker/docker-bench-security
joonathan
hoyo
kyohmizu
tagomoris
shutotakahashi
lycorptech_jp
kakehashi
cryptopeg
ymotongpoo
kiyou77
daigo0927
nttcom
naospon
kneath
bkeepers
chrislema
trallard
tammyeverts
maggiecrowley
marktimemedia
jonrohan
bluesmoon
mojombo
3n
sergeychernyshev
