Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Containers, metadata and you

Liz Rice
September 29, 2017
Programming
0
56

Containers, metadata and you

ContainerSched 2017 keynote about the benefits of metadata for managing container images

Liz Rice

September 29, 2017
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
12
eBPF's Abilities and Limitations: The Truth
lizrice
0
27
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
11
When is a Secure Connection not encrypted? And other stories
lizrice
1
17
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
460
How Many Proxies Do You Need
lizrice
1
100
eBPF for Security Observability
lizrice
0
1k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2k
Contributing to Open Source - what's in it for my business?
lizrice
0
35

Other Decks in Programming

See All in Programming
FigmaとPHPで作る1ミリたりとも表示崩れしない最強の帳票印刷ソリューション
ttskch
43
19k
Elm 0.19.0 Changes
bkuhlmann
0
490
if constexpr文はテンプレート世界のラムダ式である
faithandbrave
3
640
Random\Randomizer クラスで日常のあれこれを解決しよう! / Random\Randomizer class solves familiar trouble
cocoeyes02
0
230
Git Lint
bkuhlmann
4
750
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
130
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
170
GitHub Actionsで泣かないためにやっておきたい設定 / Recommended GHA settings to avoid crying
pinkumohikan
3
530
PHPはいつから死んでいるかの調査
chiroruxx
1
400
効率化に挑戦してみたらモバイル開発が少し快適になった話
ryunakayama
0
130
HUIT新歓2024「競技プログラミング、やってみませんか?」
slephy2784
1
270
単体テストを書かない技術 #phpcon_odawara
o0h
PRO
26
8.2k

Featured

See All Featured
Building Effective Engineering Teams - LeadDev
addyosmani
28
1.8k
Web development in the modern age
philhawksworth
202
10k
Rails Girls Zürich Keynote
gr2m
91
13k
Bootstrapping a Software Product
garrettdimon
PRO
302
110k
Infographics Made Easy
chrislema
238
18k
Fireside Chat
paigeccino
21
2.6k
Put a Button on it: Removing Barriers to Going Fast.
kastner
58
3k
Why You Should Never Use an ORM
jnunemaker
PRO
51
8.6k
Clear Off the Table
cherdarchuk
84
310k
Pencils Down: Stop Designing & Start Developing
hursman
117
11k
How to Ace a Technical Interview
jacobian
272
22k
Testing 201, or: Great Expectations
jmmastey
28
6.3k

Transcript

  1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Containers, metadata and you Liz Rice @lizrice | @aquasecteam

  2. 2 @lizrice Containers

  3. 3 @lizrice Container Images

  4. 4 @lizrice

  5. Metadata you can build in

  6. 6 @lizrice Container images Dockerfile FROM MAINTAINER COPY CMD LABEL

    Image File system layer Metadata Metadata File system layer Metadata

  7. 7 @lizrice

  8. 8 @lizrice The only true identifier for an image is

    its SHA

  9. 9 @lizrice The only true identifier for an image is

    its SHA sha256:da4fd23ca6bf973782f20c1c946fdb74d 0a17f874c634bfa82b0999975fb347c

  10. After the build

  11. 11 @lizrice Image stored in a registry with a tag

    [my.registry.io/]my-org-name/my-repo:tag lizrice/hello:3

  12. 12 @lizrice Labels can refer to external files Dockerfile FROM

    ... LABEL Image File system layer Metadata URL

  13. Is this sufficient?

  14. 14 @lizrice ▪ Testing ▪ Vulnerability scanning ▪ Security profiling

    ▪ Approvals & signoffs ▪ … ▪ Deploy ▪ … ▪ Support ▪ Prune What happens to your images after they’re built? - test results - vulnerability reports - seccomp / AppArmor profile - signoff records - check / use these? - support team contacts - deployment records

  15. Post-build metadata

  16. 16 @lizrice

  17. 17 @lizrice registry myorg/myrepo Store metadata for an image sha256:0a3...

    sha256:178... latest 1.4 images data blobs 1.3 metadata

  18. 18 @lizrice Store metadata for an image registry myorg/myrepo sha256:0a3...

    sha256:178... latest 1.4 images data blobs 1.3 _manifesto metadata

  19. Manifesto demo

  20. 52.174.107.27

  21. Admission control pattern

  22. None

  23. 23 @lizrice Admission control Start deploy Is image OK? Run

    image Fail Check the metadata for the image ▪ Test results? ▪ Approvals? ▪ Image / vulnerability policies?

  24. Admission control demo

  25. Trusted metadata

  26. 26 @lizrice

  27. 27 @lizrice

  28. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    github.com/aquasecurity/manifesto