@krol_valencia
Carol Valencia
Solution Architect in Aqua Security
Twitter: @krol_valencia
2
Slide 3
Slide 3 text
Agenda
Cloud Native Applications
Best practices to Build Containers
Securing workloads with Open Source Tools
3
Slide 4
Slide 4 text
1.
Cloud Native Application
Slide 5
Slide 5 text
“
@krol_valencia
Open Source Cloud Computing for
Applications
We curate & promote a trusted tool kit for modern
architectures.
Non-profit, part of the Linux Foundation
5
Evolution difference Container
10
Developer Culture is Bypassing Security - Steve Giguere
Slide 11
Slide 11 text
@krol_valencia
Best Practice Design Container
Build Small container images: Alpine, Bazel,
Distroless, DockerSlim, UPX, NixOS distribution
à Less vulnerabilities
Build one process one service
Container immutability
11
@krol_valencia
Hardening
Containers
Public images ?
Run as root ?
Private, Base image
Create users limited
13
Slide 14
Slide 14 text
@krol_valencia
Hardening
Containers
Privileged capabilities
?
Grant the specific
capabilities that it needs
Drop kernel modules, system time,
trace processes (CAP_SYS_MODULE,
CAP_SYS_TIME, CAP_SYS_PTRACE ).
14
Source: The Container Security Checklist - Liz Rice
Hardening
Host
Unsecured, unhardened
host
OS Best practices
Center for Internet Security (CIS)
Benchmark for Distribution
17
Slide 18
Slide 18 text
Container
Runtimes
Mount docker.sock or
sensitive host directories
Docker bench security
Center for Internet Security (CIS)
Benchmark for Docker
18
Slide 19
Slide 19 text
Secrets
Secrets encrypted at
rest and in transit
Dynamic secrets
19
Source: https://www.hashicorp.com/blog/why-we-need-dynamic-secrets/
Secrets in the
Source code
Secrets Kubernetes:
base64
Etcd not encrypted