Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Containers, metadata and you

Liz Rice
September 29, 2017
Programming
0
63

Containers, metadata and you

ContainerSched 2017 keynote about the benefits of metadata for managing container images

Liz Rice

September 29, 2017
Tweet

More Decks by Liz Rice

See All by Liz Rice
Unleashing the kernel with eBPF
lizrice
0
130
eBPF's Abilities and Limitations: The Truth
lizrice
0
240
Simplifying multi-cloud and multi-cluster Kubernetes deployments with Cilium
lizrice
0
140
When is a Secure Connection not encrypted? And other stories
lizrice
1
63
Keeping it simple: Cilium Mesh - networking for multi-cloud Kubernetes and beyond
lizrice
1
570
How Many Proxies Do You Need
lizrice
1
120
eBPF for Security Observability
lizrice
0
1.2k
Beginner's Guide to eBPF Programming for Networking
lizrice
1
2.2k
Contributing to Open Source - what's in it for my business?
lizrice
0
43

Other Decks in Programming

See All in Programming
Streams APIとTCPフロー制御 / Web Streams API and TCP flow control
tasshi
2
360
3 Effective Rules for Using Signals in Angular
manfredsteyer
PRO
0
100
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
Better Code Design in PHP
afilina
PRO
0
130
Jakarta EE meets AI
ivargrimstad
0
180
PHP でアセンブリ言語のように書く技術
memory1994
PRO
1
170
ローコードSaaSのUXを向上させるためのTypeScript
taro28
1
630
Creating a Free Video Ad Network on the Edge
mizoguchicoji
0
120
タクシーアプリ『GO』のリアルタイムデータ分析基盤における機械学習サービスの活用
mot_techtalk
5
1.5k
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
OSSで起業してもうすぐ10年 / Open Source Conference 2024 Shimane
furukawayasuto
0
110

Featured

See All Featured
Agile that works and the tools we love
rasmusluckow
327
21k
Optimizing for Happiness
mojombo
376
70k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
The World Runs on Bad Software
bkeepers
PRO
65
11k
Documentation Writing (for coders)
carmenintech
65
4.4k
Being A Developer After 40
akosma
87
590k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
1.9k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k
Building Your Own Lightsaber
phodgson
103
6.1k
Music & Morning Musume
bryan
46
6.2k

Transcript

  1. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    Containers, metadata and you Liz Rice @lizrice | @aquasecteam

  2. 2 @lizrice Containers

  3. 3 @lizrice Container Images

  4. 4 @lizrice

  5. Metadata you can build in

  6. 6 @lizrice Container images Dockerfile FROM MAINTAINER COPY CMD LABEL

    Image File system layer Metadata Metadata File system layer Metadata

  7. 7 @lizrice

  8. 8 @lizrice The only true identifier for an image is

    its SHA

  9. 9 @lizrice The only true identifier for an image is

    its SHA sha256:da4fd23ca6bf973782f20c1c946fdb74d 0a17f874c634bfa82b0999975fb347c

  10. After the build

  11. 11 @lizrice Image stored in a registry with a tag

    [my.registry.io/]my-org-name/my-repo:tag lizrice/hello:3

  12. 12 @lizrice Labels can refer to external files Dockerfile FROM

    ... LABEL Image File system layer Metadata URL

  13. Is this sufficient?

  14. 14 @lizrice ▪ Testing ▪ Vulnerability scanning ▪ Security profiling

    ▪ Approvals & signoffs ▪ … ▪ Deploy ▪ … ▪ Support ▪ Prune What happens to your images after they’re built? - test results - vulnerability reports - seccomp / AppArmor profile - signoff records - check / use these? - support team contacts - deployment records

  15. Post-build metadata

  16. 16 @lizrice

  17. 17 @lizrice registry myorg/myrepo Store metadata for an image sha256:0a3...

    sha256:178... latest 1.4 images data blobs 1.3 metadata

  18. 18 @lizrice Store metadata for an image registry myorg/myrepo sha256:0a3...

    sha256:178... latest 1.4 images data blobs 1.3 _manifesto metadata

  19. Manifesto demo

  20. 52.174.107.27

  21. Admission control pattern

  22. None

  23. 23 @lizrice Admission control Start deploy Is image OK? Run

    image Fail Check the metadata for the image ▪ Test results? ▪ Approvals? ▪ Image / vulnerability policies?

  24. Admission control demo

  25. Trusted metadata

  26. 26 @lizrice

  27. 27 @lizrice

  28. Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved.

    github.com/aquasecurity/manifesto