Slide 1

Slide 1 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Containers, metadata and you Liz Rice @lizrice | @aquasecteam

Slide 2

Slide 2 text

2 @lizrice Containers

Slide 3

Slide 3 text

3 @lizrice Container Images

Slide 4

Slide 4 text

4 @lizrice

Slide 5

Slide 5 text

Metadata you can build in

Slide 6

Slide 6 text

6 @lizrice Container images Dockerfile FROM MAINTAINER COPY CMD LABEL Image File system layer Metadata Metadata File system layer Metadata

Slide 7

Slide 7 text

7 @lizrice

Slide 8

Slide 8 text

8 @lizrice The only true identifier for an image is its SHA

Slide 9

Slide 9 text

9 @lizrice The only true identifier for an image is its SHA sha256:da4fd23ca6bf973782f20c1c946fdb74d 0a17f874c634bfa82b0999975fb347c

Slide 10

Slide 10 text

After the build

Slide 11

Slide 11 text

11 @lizrice Image stored in a registry with a tag [my.registry.io/]my-org-name/my-repo:tag lizrice/hello:3

Slide 12

Slide 12 text

12 @lizrice Labels can refer to external files Dockerfile FROM ... LABEL Image File system layer Metadata URL

Slide 13

Slide 13 text

Is this sufficient?

Slide 14

Slide 14 text

14 @lizrice ■ Testing ■ Vulnerability scanning ■ Security profiling ■ Approvals & signoffs ■ … ■ Deploy ■ … ■ Support ■ Prune What happens to your images after they’re built? - test results - vulnerability reports - seccomp / AppArmor profile - signoff records - check / use these? - support team contacts - deployment records

Slide 15

Slide 15 text

Post-build metadata

Slide 16

Slide 16 text

16 @lizrice

Slide 17

Slide 17 text

17 @lizrice registry myorg/myrepo Store metadata for an image sha256:0a3... sha256:178... latest 1.4 images data blobs 1.3 metadata

Slide 18

Slide 18 text

18 @lizrice Store metadata for an image registry myorg/myrepo sha256:0a3... sha256:178... latest 1.4 images data blobs 1.3 _manifesto metadata

Slide 19

Slide 19 text

Manifesto demo

Slide 20

Slide 20 text

52.174.107.27

Slide 21

Slide 21 text

Admission control pattern

Slide 22

Slide 22 text

No content

Slide 23

Slide 23 text

23 @lizrice Admission control Start deploy Is image OK? Run image Fail Check the metadata for the image ■ Test results? ■ Approvals? ■ Image / vulnerability policies?

Slide 24

Slide 24 text

Admission control demo

Slide 25

Slide 25 text

Trusted metadata

Slide 26

Slide 26 text

26 @lizrice

Slide 27

Slide 27 text

27 @lizrice

Slide 28

Slide 28 text

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. github.com/aquasecurity/manifesto