Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DockerCon 2018 - Kubernetes secops with Docker

Scott Coulton
June 15, 2018
Technology
0
450

DockerCon 2018 - Kubernetes secops with Docker

In this talk, Scott Coulton will walk through how to build a container as a service platform with Docker EE. Starting from scratch he will help you figure out what orchestrator to choose by deep diving into the technical differences between swarm and kubernetes on the EE platform as well as cover some of the practical considerations that could influence your decision. He will also share various automation solutions to deploy your cluster into production. Once the cluster is up and running, Scott will delve into sec ops and discuss security best practices – including signing images in DTR (Docker Trusted Registry) and CVE scanning to provide a secure supply chain into production. You’ll leave this talk with the knowledge needed to build your own container platform in production. And did I mention it will all be done live, step-by-step?

Scott Coulton

June 15, 2018
Tweet

More Decks by Scott Coulton

See All by Scott Coulton
Kubernetes security 101
scottyc
2
120
If it’s in a container it’s secure right ?
scottyc
1
150
Pulling the strings to containerise your life
scottyc
0
53
If it's in a container its secure right ?
scottyc
1
140
Why containerise your life ?
scottyc
4
1.1k
Docker in production, No hands
scottyc
1
200

Other Decks in Technology

See All in Technology
Oracle Base Database Service 技術詳細
oracle4engineer
PRO
4
37k
Cloud Service Mesh に触れ合う
phaya72
1
120
Azure Container Apps + Bicep 〜 こんな感じで運用しています
kaz29
3
610
EM完全に理解した と思ったけど、 やっぱり何も分からなかった話 / EM Night Fukuoka #1
hirutas
0
250
Building a RAG-powered AI chat app with Python and VS Code
pamelafox
0
140
ゼロから始めるVue.jsコミュニティ貢献 / first-vuejs-community-contribution-link-and-motivation
lmi
1
150
Building Dashboards as a Hobby
egmc
0
350
LayerXにおけるLLMプロダクト開発の今までとこれから
layerx
PRO
3
590
EMとして2023年度に頑張ったこと / What we did well in FY2023 as a EM
pauli
1
200
Amplify 🩷 Bedrock 〜生成AI入門〜
minorun365
PRO
7
350
How to do well in consulting–Balkan Ruby 2024
irinanazarova
0
120
MLOpsの「壁」を乗り越える、LINEヤフーの Data Quality as Code
lycorptech_jp
PRO
8
610

Featured

See All Featured
No one is an island. Learnings from fostering a developers community.
thoeni
16
2.1k
A Modern Web Designer's Workflow
chriscoyier
689
190k
The World Runs on Bad Software
bkeepers
PRO
61
6.7k
Side Projects
sachag
451
41k
Building Better People: How to give real-time feedback that sticks.
wjessup
356
18k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
14
1.5k
From Idea to $5000 a Month in 5 Months
shpigford
378
45k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
33
6k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
13
8.3k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
323
20k
The Pragmatic Product Professional
lauravandoore
26
5.8k

Transcript

  1. Scott Coulton Principal software engineer, Puppet Production SecOps With Kubernetes

    In Docker

  2. About me @scottcoulton

  3. v Let’s build a CaaS What's the difference (Swarm vs

    Kubernetes) Now for the fun stuff secops with Kubernetes Agenda

  4. Let’s build a CaaS

  5. Live demo time

  6. So let's look at the platform architecture

  7. Operating Systems Platform Architecture Config Mgt Monitoring Logging CI/CD ..more..

    Images Networking Volumes Physical Virtualization Public Cloud Platform Security Developer Services Registry Services Access Policies App Lifecycle Management Automation & Extensibility Networking Orchestration Storage Container Engine ENTERPRISE EDITION PLATFORM

  8. Docker EE Architecture Docker EE Cluster Node Node Node DOCKER

    ENTERPRISE EDITION Node Manager Worker Node Worker Worker Worker Node Manager Node Manager Management Plane

  9. Docker EE Orchestration Secure Cluster Management App Scheduler Swarm Kubernetes

    OR Docker EE Cluster Node Node Node

  10. What’s the difference ?

  11. • Uses docker cli • Deploys applications through ‘stacks’ •

    Overlay networking Swarm

  12. • kubectl as the cli tool • More deployment definitions

    ie pods, svc, deployments • Plug and play networking with CNI Kubernetes

  13. In Docker EE you can swap and change

  14. Live demo time

  15. Now for the fun stuff secops with Kubernetes

  16. Real life attacks

  17. https://www.fortinet.com/blog/threat-research/yet-another- crypto-mining-botnet.html https://github.com/docker/hub-feedback/issues/1121 This attack allowed the hackers to gain

    access to your Docker host via a vulnerable image. Hackers going to hack

  18. Hackers going to hack

  19. How do we protect from this threat ?

  20. Secure Supply Chain

  21. Secure Supply Chain TEST STAGING • Signature verification • Native

    encryption Scanning Signing Automated Policies Docker for Mac or Docker for Windows PRODUCTION
  22. None

  23. Production Environments Docker Trusted Registry Docker UCP Production Environments Version

    Control Docker UCP Non-Production Environments Developer Machine Development CI/CD Operations Datacenter 1 Datacenter 2 Docker Trusted Registry Docker for Secure Supply Chain

  24. CI Workflow Docker Trusted Registry Build container $ git clone

    $ mvn deploy Repository Manager binaries Version Control src Dockerfiles docker-compose.yml files pull push CI Agent $ docker run -it --rm builder build runs build start CI Agent $ git clone $ docker build -t myapp $ docker push myapp push pull CI Agent $ eval $(<env.sh) $ docker run $ docker service $ docker-compose up Docker UCP Test Environment CI Agent $ eval $(<env.sh) $ docker run -it --rm test uat $ docker pull myapp $ docker push myapp test pull 1 2 3 4 runs app runs tests

  25. Notary client config for DockerHub ~/.notary/config.json { "trust_dir" : "~/.docker/trust",

    "remote_server": { "url": "https://notary.docker.io" } }

  26. Notary client config for your registry ~/.notary/config.json { "trust_dir" :

    "~/.docker/trust", "remote_server": { "url": "dtr_url", "root-ca": "dtr_ca.pem" } }

  27. Push and sign your application $ export DOCKER_CONTENT_TRUST=1 $ docker

    push {dtr_url/registry_url}/{account}/{repository}:{tag}

  28. The one take away from this talk “Sign your images”

    Scott Coulton Principal software engineer Puppet
  29. None

  30. Run as non root apiVersion: v1 kind: Pod metadata: name:

    my-dockercon-app spec: securityContext: runAsUser: 1000

  31. Read only file system apiVersion: v1 kind: Pod metadata: name:

    my-dockercon-app spec: securityContext: readOnlyRootFilesystem: true

  32. Privilege escalation apiVersion: v1 kind: Pod metadata: name: my-dockercon-app spec:

    securityContext: allowPrivilegeEscalation: false

  33. You don't have to chose one apiVersion: v1 kind: Pod

    metadata: name: my-dockercon-app spec: securityContext: runAsUser: 1000 readOnlyRootFilesystem: true allowPrivilegeEscalation: false
  34. None

  35. A great blog post on this stuff https://blog.jessfraz.com/post/containers-security-and-echo-chambers/

  36. Apparmor apiVersion: v1 kind: Pod metadata: name: my-dockercon-app annotations: container.apparmor.security.beta.kubernetes.io/dockercon:

    runtime/default spec: containers: - name: dockercon

  37. Selinux apiVersion: v1 kind: Pod metadata: name: my-dockercon-app spec: securityContext:

    seLinuxOptions: level: "s0:c123,c456" containers: - name: dockercon

  38. v Questions

  39. v Thank you !