DCEU 18: Docker Container Security
2 likes694 views
This document discusses Docker container security. It covers five main security verticals: secure software supply chain, runtime security, infrastructure security, compliance, and provides a demo. The supply chain involves scanning and signing images. Runtime security focuses on identifying vulnerabilities and running only trusted images. Infrastructure security discusses access control and roles. Compliance addresses FIPS validation and audit logs. A demo then shows some of these security features in action.
![Detailed Audit Logs
{“audit”; {
"metadata": {...},
"level": "Metadata",
"timestamp": "2018-08-07T22:10:35Z",
"auditID":
"7559d301-fa6b-4ad6-901c-b587fab75277",
"stage": "RequestReceived",
"requestURI":
"/api/v1/namespaces/default/pods",
"verb": "list",
"user": {"username": "alice",...},
"sourceIPs": ["127.0.0.1"],
...,
"requestReceivedTimestamp":
"2018-08-07T22:10:35.428850Z"}}
orchestrator audit events
audit logs
user request
{“audit”; {
"metadata": {...},
"level": "Metadata",
"timestamp": "2018-08-07T22:10:35Z",
"auditID":
"7559d301-94e7-4ad6-901c-b587fab31512",
"stage": "RequestReceived",
"requestURI": "/v1.30/configs/create",
"verb": "post",
"user": {"username": "alice",...},
"sourceIPs": ["127.0.0.1"],
...,
"requestReceivedTimestamp":
"2018-08-07T22:10:35.428850Z"}}
kubernetes pod listing swarm config create
FEATURE
• Configurable audit logs for both
Swarm and Kubernetes
• Logs API calls tracking request,
time, user, and response
• Persistent storage of audit log
BENEFITS
• Track and investigate all
security-relevant user activity in
the cluster](https://image.slidesharecdn.com/dceu18dockercontainersecurity-181214181723/85/DCEU-18-Docker-Container-Security-19-320.jpg)
DCEU 18: Docker Container Security
- 2. Group Product Manager, Docker Yuvraj Mehta Solutions Architect, Docker Steve Richards
- 3. Agenda ● Container Security Verticals ● Secure Software Supply Chain ● Runtime Security ● Infrastructure Security ● Compliance ● DEMO TIME!!
- 4. Secure Supply Chain Securing the Software Pipeline Docker Enterprise Security Verticals Runtime Security Securing the Application in Production Infrastructure Security Securing Infrastructure from the Application Compliance Meet Regulatory Standards
- 6. Secure Software Supply Chain Docker Trusted Registry IT OPERATIONS Control Plane Security scan & sign Traditional Third Party Microservices DEVELOPERS
- 7. docker trust init org/example Trusted Images: Scanning docker trust init org/example docker trust sign org/example:latest FEATURE • Deep visibility with binary level scanning • Integrated workflow for a secure supply chain • Enable proactive risk management BENEFITS • Detailed BOM of included components and vulnerability profile • Covers wide array of languages & OS including Windows
- 8. docker trust init org/example Trusted Images: Signing docker trust init org/example docker trust sign org/example:latest FEATURE • Run only trusted images in production • Establish a chain of custody for Docker images BENEFITS • Sign Docker images from developer to operations • Verifies the publisher of Docker images • Integrated with Docker CLI
- 9. WebHooks
- 10. Automated Promotions Production Environments DTR Docker UCP Production Environments Docker UCP Non-Production EnvironmentsDeveloper Machine Development CI/CD Operations Datacenter 1 Datacenter 2 DTR Docker for DTR
- 11. Runtime Security
- 12. docker trust init org/example Identify Vulnerabilities in Production docker trust init org/example docker trust sign org/example:latest Docker Enterprise Control Plane Docker Trusted Registry Scan Data FEATURE BENEFITS • Create policies to manage service deployments using image vulnerability data • Maintain compliant deployment of production services • View vulnerability data of images deployed through the control plane • Roll up views for services & pods
- 13. Run Trusted Images Developer signs an image and checks it into a registry Engine verifies that image is signed before pulling to local environment FEATURE BENEFITS • Verify that images are signed before pulling from registry • Enable or disable on a per-shell or per-invocation basis • Prevent the deployment of containers that use unsigned images • Enforce policies around image signing
- 15. Secure Access: Single Sign-On with SAML v2.0 FEATURE BENEFITS • Allow for SSO to Docker Enterprise through existing identity provider (IdP) ○ Support for Okta and ADFS, with more IdPs added in the future • Continue to use LDAP synch for client bundle access • Achieve 2FA through identity provider • Credentials stored in IdP only; no local hosting of passwords
- 16. Secure Access: Native Kubernetes RBAC FEATURE BENEFITS • Add native Kubernetes roles defined in YAML file • Distinct view of Kubernetes roles from Swarm roles • Define grants similar to Swarm • Deploy Helm charts • Use native Kubernetes RBAC primitives Node Worker Node Worker Node Worker Node Worker swarm mode cluster docker enterprise universal control plane trusted registry Node Worker Node Worker .NET Dev Team Using Swarm Java Dev Team using K8s Java Dev Team Using Swarm Ops Team
- 17. Compliance
- 18. FIPS 140-2 Validated Docker Enterprise-Engine FEATURE BENEFITS • Linux support included in 18.03 Engine, 18.09 now adds FIPS compliance for Windows • Automatically enable FIPS mode for Docker engine based upon host OS FIPS status • Use env variable to override O/S FIPS state • Meet regulatory requirements by deploying Docker Engines in a FIPS compliant mode • Prevent non-FIPS nodes from joining a FIPS compliant cluster DOCKER ENGINE containerd Docker API Networking Docker Build (BuildKit) Orchestration VolumesDistribution Docker CLI Plugins FIPS 140-2 Validated Encryption Module
- 19. Detailed Audit Logs {“audit”; { "metadata": {...}, "level": "Metadata", "timestamp": "2018-08-07T22:10:35Z", "auditID": "7559d301-fa6b-4ad6-901c-b587fab75277", "stage": "RequestReceived", "requestURI": "/api/v1/namespaces/default/pods", "verb": "list", "user": {"username": "alice",...}, "sourceIPs": ["127.0.0.1"], ..., "requestReceivedTimestamp": "2018-08-07T22:10:35.428850Z"}} orchestrator audit events audit logs user request {“audit”; { "metadata": {...}, "level": "Metadata", "timestamp": "2018-08-07T22:10:35Z", "auditID": "7559d301-94e7-4ad6-901c-b587fab31512", "stage": "RequestReceived", "requestURI": "/v1.30/configs/create", "verb": "post", "user": {"username": "alice",...}, "sourceIPs": ["127.0.0.1"], ..., "requestReceivedTimestamp": "2018-08-07T22:10:35.428850Z"}} kubernetes pod listing swarm config create FEATURE • Configurable audit logs for both Swarm and Kubernetes • Logs API calls tracking request, time, user, and response • Persistent storage of audit log BENEFITS • Track and investigate all security-relevant user activity in the cluster
- 20. Demo Time
- 21. Next Steps
- 22. https://dockr.ly/Forrester Get the Forrester Report on Container Platforms For more information visit:
- 23. https://dockr.ly/WindowsServerUpgrade Migrate Legacy Windows Before End of Support For more information visit:
- 24. Give Docker Enterprise a spin! trial.docker.com
- 25. Thank you!