SlideShare a Scribd company logo

The Container Security Checklist

L
LibbySchulze

This document is a summary of a webinar on securing container deployments. It lists several important items to consider when securing containers including: running builds separately from production clusters; treating containers as immutable; avoiding privileged containers; keeping hosts updated; encrypting secrets; and preventing container drift. The document provides instructions on how to provide feedback on the webinar series and lists upcoming webinar topics.

Internet
1 of 31
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
KubeSec Enterprise Online A Webinar Series
2 Housekeeping To ask a question, click on Question button to the right hand chat menu Questions A copy of the slides will be made available to all attendees Slides Feedback on webinar series, topics you’d like to see, welcome at kubesec@aquasec.com Feedback
© 2020 Aqua Security Software Ltd., All Rights Reserved Liz Rice VP Open Source Engineering, Aqua Security @lizrice | @aquasecteam The Container Security Checklist
@lizrice
@lizrice Appendix: Security Checklist This appendix covers some important items you should at least think about when considering how best to secure your container deployments. In your environment it might well not make sense to apply every item, but if you have thought about them, you will be off to a good start. No doubt this list is not absolutely comprehensive!
@lizrice Build Deploy Run Host machines Container images Build machines Container config Secrets Runtime & network security
@lizrice Build Deploy Run Host machines Container images Build machines Container config Secrets Runtime & network security Are your builds running separately from your production cluster?
@lizrice Don’t run builds in your production cluster Dockerfile … RUN blah blah … Kernel Build processes Applications Docker daemon /var/run/docker.sock
@lizrice Don’t run builds in your production cluster* Dockerfile … RUN blah blah … Kernel Sandbox Build processes Applications Docker daemon /var/run/docker.sock * Unless you are very sure you know what you’re doing
@lizrice Build Deploy Run Host machines Container images Build machines Container config Secrets Runtime & network security Is all executable code added to a container image at build time?
@lizrice Treat containers as immutable app Scan for vulnerable packages & dependencies app More code curl / apt / yum
@lizrice Build Deploy Run Host machines Container images Build machines Container config Secrets Runtime & network security Are you avoiding –privileged?
@lizrice --privileged “The most dangerous flag in computing” -- Andrew Martin
@lizrice More granular permissions than root Most containers don’t need to l Install Kernel modules (CAP_SYS_MODULE) l Change the system time (CAP_SYS_TIME) l Trace / modify arbitrary processes (CAP_SYS_PTRACE) Linux capabilities
@lizrice $ docker run --rm -it --cap-add=ALL ubuntu /# more /proc/1/status | grep CapEff CapEff: 0000003fffffffff $ docker run --rm -it --cap-drop=ALL ubuntu /# more /proc/1/status | grep CapEff CapEff: 0000000000000000 $ docker run --rm -it ubuntu /# more /proc/1/status | grep CapEff CapEff: 00000000a80425fb $ docker run --rm -it --privileged ubuntu /# more /proc/1/status | grep CapEff CapEff: 0000003fffffffff All capabilities
@lizrice $ docker run --rm -it ubuntu root@316a2ab0ddcb:/# ls /dev console core fd full mqueue null ptmx pts random shm stderr stdin stdout tty urandom zero $ docker run --rm -it --privileged ubuntu root@87c19bbc393a:/# ls /dev autofs loop-control ptmx tty14 tty33 tty52 ttyS13 ttyS4 vcsa bsg loop0 pts tty15 tty34 tty53 ttyS14 ttyS5 vcsa1 btrfs-control loop1 random tty16 tty35 tty54 ttyS15 ttyS6 vcsa2 console loop2 rfkill tty17 tty36 tty55 ttyS16 ttyS7 vcsa3 core loop3 rtc0 tty18 tty37 tty56 ttyS17 ttyS8 vcsa4 cpu_dma_latency loop4 sda tty19 tty38 tty57 ttyS18 ttyS9 vcsa5 cuse loop5 sda1 tty2 tty39 tty58 ttyS19 ttyprintk vcsa6 dm-0 loop6 sg0 tty20 tty4 tty59 ttyS2 udmabuf vcsu dm-1 loop7 shm tty21 tty40 tty6 ttyS20 uhid vcsu1 dri mapper snapshot tty22 tty41 tty60 ttyS21 uinput vcsu2 ecryptfs mcelog snd tty23 tty42 tty61 ttyS22 urandom vcsu3 fb0 mem stderr tty24 tty43 tty62 ttyS23 userio vcsu4 fd memory_bandwidth stdin tty25 tty44 tty63 ttyS24 vboxguest vcsu5 … All host devices
@lizrice Build Deploy Run Host machines Container images Build machines Container config Secrets Runtime & network security Are you keeping hosts up to date with the latest security releases?
@lizrice
@lizrice
@lizrice Build Deploy Run Host machines Container images Build machines Container config Secrets Runtime & network security Are your secrets encrypted at rest and in transit?
@lizrice $ kubectl get secret my-secret -o jsonpath="{.data.password}" | base64 --decode Keepthissecret $ sudo grep keepthissecret /var/lib/etcd/member/snap/db Binary file /var/lib/etcd/member/snap/db matches
@lizrice
@lizrice l Encrypt etcd l Or use a secrets manager like Vault, KMS, etc … Encrypting secrets
@lizrice Build Deploy Run Host machines Container images Build machines Container config Secrets Runtime & network security Can you prevent container drift?
@lizrice
@lizrice Are your builds running separately from your production cluster? Is all executable code added to a container image at build time? Are you avoiding –privileged? Are you keeping hosts up to date with the latest security releases? Are your secrets encrypted at rest and in transit? Can you prevent container drift?
@lizrice | @aquasecteam info.aquasec.com
28 BeerSecOps Podcast Series – Presented by Steve Giguere https://www.aquasec.com/resources/type/podcasts/
29 Sign up at https://kubesec.aquasec.com/enterprise_online_series “Achieving security and compliance in a large, multi-cluster Kubernetes fleet” “Securing your Kubernetes Ingress through Gateway Deployment Patterns” “How Security Evolves with your Kubernetes Footprint” New Sessions Added!
30 https://kubesec.aquasec.com/enterprise_online_series Coming up next
Thank you

More Related Content

What's hot (20)

PPTX
Monitoring mayhem - Using Prometheus
Brian Christner
 
PDF
Whats new in brigade 2
LibbySchulze
 
PDF
Jenkins in the real world - DevOpsCon 2017
Gianluca Arbezzano
 
PDF
Giving Back to Upstream | DockerCon 2019
Phil Estes
 
PDF
Zombies in Kubernetes
Thomas Fricke
 
PPTX
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
Xiaohui Chen
 
PDF
Docker based-Pipelines with Codefresh
Codefresh
 
PDF
Asterisk as a Virtual Network Function Part 4
Leif Madsen
 
PDF
Docker Swarm 1.12 Overview and Demo
Brian Christner
 
PDF
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
PPTX
Migrating Java JBoss EAP Applications to Kubernetes With S2I
Konveyor Community
 
PDF
The pain and gains running Docker in live @Pipedrive
Renno Reinurm
 
PDF
Kubernetes and the hybrid cloud with Skupper | DevNation tech talk
Red Hat Developers
 
PPTX
PuppetConf 2016: Scaling Puppet on AWS ECS with Terraform and Docker – Maxime...
Puppet
 
PDF
CD NYC From Source Code to Production
Kontena, Inc.
 
PDF
Is your kubernetes negative or positive
LibbySchulze
 
PDF
PuppetConf 2016 Customer Keynote: Cloud, Containers & the Impact on IT - Jeff...
Puppet
 
PDF
How to Monitor Microservices
Sysdig
 
PPTX
Serverless Data Science
Institute of Contemporary Sciences
 
PDF
DCSF19 Kubernetes Security with OPA
Docker, Inc.
 
Monitoring mayhem - Using Prometheus
Brian Christner
 
Whats new in brigade 2
LibbySchulze
 
Jenkins in the real world - DevOpsCon 2017
Gianluca Arbezzano
 
Giving Back to Upstream | DockerCon 2019
Phil Estes
 
Zombies in Kubernetes
Thomas Fricke
 
网易云K8S应用实践 | practices for kubernetes cluster provisioning, management and ap...
Xiaohui Chen
 
Docker based-Pipelines with Codefresh
Codefresh
 
Asterisk as a Virtual Network Function Part 4
Leif Madsen
 
Docker Swarm 1.12 Overview and Demo
Brian Christner
 
Security threats with Kubernetes - Igor Khoroshchenko
Kuberton
 
Migrating Java JBoss EAP Applications to Kubernetes With S2I
Konveyor Community
 
The pain and gains running Docker in live @Pipedrive
Renno Reinurm
 
Kubernetes and the hybrid cloud with Skupper | DevNation tech talk
Red Hat Developers
 
PuppetConf 2016: Scaling Puppet on AWS ECS with Terraform and Docker – Maxime...
Puppet
 
CD NYC From Source Code to Production
Kontena, Inc.
 
Is your kubernetes negative or positive
LibbySchulze
 
PuppetConf 2016 Customer Keynote: Cloud, Containers & the Impact on IT - Jeff...
Puppet
 
How to Monitor Microservices
Sysdig
 
Serverless Data Science
Institute of Contemporary Sciences
 
DCSF19 Kubernetes Security with OPA
Docker, Inc.
 

Similar to The Container Security Checklist (20)

PDF
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
PDF
introduction-infra-as-a-code using terraform
niyof97
 
PDF
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
PDF
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
PDF
Jump into Squeak - Integrate Squeak projects with Docker & Github
hubx
 
PDF
Continuous Integration: SaaS vs Jenkins in Cloud
Ideato
 
PDF
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Odinot Stanislas
 
PDF
Shifter: Containers in HPC Environments
inside-BigData.com
 
PPTX
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
 
PPTX
Introduction to Docker
Nissan Dookeran
 
PDF
TIAD - DYI: A simple orchestrator built step by step
The Incredible Automation Day
 
PPTX
Make stateful apps in Kubernetes a no brainer with Pure Storage and GitOps
Weaveworks
 
PPTX
drupal ci cd concept cornel univercity.pptx
rukuntravel
 
PDF
Delivering Docker & K3s worloads to IoT Edge devices
Ajeet Singh Raina
 
PPTX
Docker Security workshop slides
Docker, Inc.
 
PDF
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
PDF
FPC for the Masses (SANSFire Edition)
Xavier Mertens
 
PPTX
Kubernetes 101 VMworld 2019 workshop slides
Simone Morellato
 
PPTX
Presentation1.pptx
JayakumarS71
 
PPTX
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Swift Install Workshop - OpenStack Conference Spring 2012
Joe Arnold
 
introduction-infra-as-a-code using terraform
niyof97
 
Digital Forensics and Incident Response in The Cloud Part 3
Velocidex Enterprises
 
Kubernetes 101 for_penetration_testers_-_null_mumbai
n|u - The Open Security Community
 
Jump into Squeak - Integrate Squeak projects with Docker & Github
hubx
 
Continuous Integration: SaaS vs Jenkins in Cloud
Ideato
 
Bare-metal, Docker Containers, and Virtualization: The Growing Choices for Cl...
Odinot Stanislas
 
Shifter: Containers in HPC Environments
inside-BigData.com
 
Weave User Group Talk - DockerCon 2017 Recap
Patrick Chanezon
 
Introduction to Docker
Nissan Dookeran
 
TIAD - DYI: A simple orchestrator built step by step
The Incredible Automation Day
 
Make stateful apps in Kubernetes a no brainer with Pure Storage and GitOps
Weaveworks
 
drupal ci cd concept cornel univercity.pptx
rukuntravel
 
Delivering Docker & K3s worloads to IoT Edge devices
Ajeet Singh Raina
 
Docker Security workshop slides
Docker, Inc.
 
Docker and friends at Linux Days 2014 in Prague
tomasbart
 
FPC for the Masses (SANSFire Edition)
Xavier Mertens
 
Kubernetes 101 VMworld 2019 workshop slides
Simone Morellato
 
Presentation1.pptx
JayakumarS71
 
Using hypervisor and container technology to increase datacenter security pos...
Tim Mackey
 
Ad

More from LibbySchulze (20)

PDF
Running distributed tests with k6.pdf
LibbySchulze
 
PPTX
Extending Kubectl.pptx
LibbySchulze
 
PPTX
Enhancing Data Protection Workflows with Kanister And Argo Workflows
LibbySchulze
 
PDF
Fallacies in Platform Engineering.pdf
LibbySchulze
 
PDF
Intro to Fluvio.pptx.pdf
LibbySchulze
 
PPTX
Enhance your Kafka Infrastructure with Fluvio.pptx
LibbySchulze
 
PDF
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
LibbySchulze
 
PDF
Oh The Places You'll Sign.pdf
LibbySchulze
 
PPTX
Rancher MasterClass - Avoiding-configuration-drift.pptx
LibbySchulze
 
PPTX
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
LibbySchulze
 
PPTX
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
LibbySchulze
 
PDF
EnRoute-OPA-Integration.pdf
LibbySchulze
 
PDF
AirGap_zusammen_neu.pdf
LibbySchulze
 
PDF
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
LibbySchulze
 
PDF
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
LibbySchulze
 
PDF
CNCF_ A step to step guide to platforming your delivery setup.pdf
LibbySchulze
 
PDF
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
LibbySchulze
 
PDF
Securing Windows workloads.pdf
LibbySchulze
 
PDF
Securing Windows workloads.pdf
LibbySchulze
 
PDF
Advancements in Kubernetes Workload Identity for Azure
LibbySchulze
 
Running distributed tests with k6.pdf
LibbySchulze
 
Extending Kubectl.pptx
LibbySchulze
 
Enhancing Data Protection Workflows with Kanister And Argo Workflows
LibbySchulze
 
Fallacies in Platform Engineering.pdf
LibbySchulze
 
Intro to Fluvio.pptx.pdf
LibbySchulze
 
Enhance your Kafka Infrastructure with Fluvio.pptx
LibbySchulze
 
CNCF On-Demand Webinar_ LitmusChaos Project Updates.pdf
LibbySchulze
 
Oh The Places You'll Sign.pdf
LibbySchulze
 
Rancher MasterClass - Avoiding-configuration-drift.pptx
LibbySchulze
 
vFunction Konveyor Meetup - Why App Modernization Projects Fail - Aug 2022.pptx
LibbySchulze
 
CNCF Live Webinar: Low Footprint Java Containers with GraalVM
LibbySchulze
 
EnRoute-OPA-Integration.pdf
LibbySchulze
 
AirGap_zusammen_neu.pdf
LibbySchulze
 
Copy of OTel Me All About OpenTelemetry The Current & Future State, Navigatin...
LibbySchulze
 
OTel Me All About OpenTelemetry The Current & Future State, Navigating the Pr...
LibbySchulze
 
CNCF_ A step to step guide to platforming your delivery setup.pdf
LibbySchulze
 
CNCF Online - Data Protection Guardrails using Open Policy Agent (OPA).pdf
LibbySchulze
 
Securing Windows workloads.pdf
LibbySchulze
 
Securing Windows workloads.pdf
LibbySchulze
 
Advancements in Kubernetes Workload Identity for Azure
LibbySchulze
 
Ad

Recently uploaded (16)

PPTX
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PPTX
The Monk and the Sadhurr and the story of how
BeshoyGirgis2
 
PDF
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PPTX
InOffensive Security_cybersecurity2.pptx
wihib17507
 
PPTX
MSadfadsfafdadfccadradfT_Presentation.pptx
pahalaedward2
 
PPTX
Finally, My Best IPTV Provider That Understands Movie Lovers Experience IPTVG...
Rafael IPTV
 
DOCX
An_Operating_System by chidi kingsley wo
kingsleywokocha4
 
PPTX
AI at Your Side: Boost Impact Without Losing the Human Touch (SXSW 2026 Meet ...
maytaldahan
 
PDF
AiDAC – Custody Platform Overview for Institutional Use.pdf
BobPesakovic
 
PPTX
Internet Basics for class ix. Unit I. Describe
ASHUTOSHKUMAR1131
 
PDF
GEO Strategy 2025: Complete Presentation Deck for AI-Powered Customer Acquisi...
Zam Man
 
PPTX
Birth-after-Previous-Caesarean-Birth (1).pptx
fermann1
 
PDF
How Much GB RAM Do You Need for Coding? 5 Powerful Reasons 8GB Is More Than E...
freeshopbudget
 
PDF
UI/UX Developer Guide: Tools, Trends, and Tips for 2025
Penguin peak
 
PPTX
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
PDF
The AI Trust Gap: Consumer Attitudes to AI-Generated Content
Exploding Topics
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
The Monk and the Sadhurr and the story of how
BeshoyGirgis2
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
InOffensive Security_cybersecurity2.pptx
wihib17507
 
MSadfadsfafdadfccadradfT_Presentation.pptx
pahalaedward2
 
Finally, My Best IPTV Provider That Understands Movie Lovers Experience IPTVG...
Rafael IPTV
 
An_Operating_System by chidi kingsley wo
kingsleywokocha4
 
AI at Your Side: Boost Impact Without Losing the Human Touch (SXSW 2026 Meet ...
maytaldahan
 
AiDAC – Custody Platform Overview for Institutional Use.pdf
BobPesakovic
 
Internet Basics for class ix. Unit I. Describe
ASHUTOSHKUMAR1131
 
GEO Strategy 2025: Complete Presentation Deck for AI-Powered Customer Acquisi...
Zam Man
 
Birth-after-Previous-Caesarean-Birth (1).pptx
fermann1
 
How Much GB RAM Do You Need for Coding? 5 Powerful Reasons 8GB Is More Than E...
freeshopbudget
 
UI/UX Developer Guide: Tools, Trends, and Tips for 2025
Penguin peak
 
The Internet of Things (IoT) refers to a vast network of interconnected devic...
chethana8182
 
The AI Trust Gap: Consumer Attitudes to AI-Generated Content
Exploding Topics
 

The Container Security Checklist