SlideShare a Scribd company logo

Veer's Container Security

J
Jim Barlow

Container security involves securing containers at both the host and application level. At the host level, Linux technologies like namespaces, cgroups, SELinux, and seccomp provide isolation between containers. Container images are also scanned for vulnerabilities. The OpenShift platform provides additional security features like role-based access control, network policies, encrypted communications, and controls over privileged containers and storage. Application security best practices within containers include using HTTPS, securing secrets, and API management tools.

1 of 49
Downloaded 82 times
@OpenShift RHOpenShift Container Security Presenter: Veer Muchandi Title: Principal Architect - Container Solutions Social Handle: @VeerMuchandi Blogs: https://blog.openshift.com/author/veermuchandi/
What Are Containers? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS It Depends on Who You Ask 2
Understanding Containers
Virtualization vs Containerization
Container Host Security Linux Technologies - Namespaces for Isolation - Seccomp - Read Only Mounts - SELinux - MCS - RHEL Atomic Base Image build your applications - RHEL or RHEL-Atomic
Linux Containers Architecture
Kernel provides process isolation by creating separate namespaces for containers PID namespaces allow processes in different containers to have the same PID Network namespaces allows container to use separate virtual network stack, loopback device and process space Mount namespaces isolate the set of file system mount points UTS namespaces isolate system identifiers – nodename and domainname IPC namespaces isolate certain interprocess communication (IPC) resources User allow you to specify a range of host UIDs dedicated to the container. A process can have full root privileges for operations inside the container.
Cgroups ensure that a single container cannot exhaust a large amount of system resources Cgroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks
9 SELinux and Multi Category Security ● Mandatory Access Control ● SElinux is a LABELING system ● Every Process has a Label ● Every file, Directory, System object has a Label ● Policy rules control access between labeled processes and labeled objects ● The Kernel enforces the rules
10 SELINUX - MAC - MCS - Process system_u:system_r:container_runtime_t:s0 SElinux Policy module for the container The OOTB SElinux policy container.te defines what you can execute and access with the label container_runtime_t [root@osemaster ~]# ps -efZ | grep docker-containerd-shim-current system_u:system_r:container_runtime_t:s0 root 3035 1479 0 Feb15 ? 00:00:01 /usr/bin/docker-containerd-shim-current 4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /var/run/docker/libcontainerd/4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /usr/libexec/docker/docker-runc-current
11 SELINUX - MAC - MCS - Files container_var_lib_t / svirt_sandbox_file_t SElinux Policy module for the container [root@osemaster ~]# ls -lZ /var/lib/docker/containers/97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737 / -rw-r-----. root root system_u:object_r:container_var_lib_t:s0 97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737-json.log -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 config.v2.json -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 hostconfig.json -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 hostname -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 hosts -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 resolv.conf -rw-r--r--. root root system_u:object_r:container_var_lib_t:s0 resolv.conf.hash drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 secrets drwx------. root root system_u:object_r:container_var_lib_t:s0 shm
12 SECCOMP - DROPPING PRIVILEGES FROM CONTAINERS CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_NET_ADMIN CAP_SYS_ADMIN Modify process capabilities Insert/Remove kernel modules Modify Kernel Memory Configure process accounting Modify Priority of processes Override Resource Limits Modify the system clock Configure tty devices Write the audit log Configure Audit Subsystem Ignore Kernel MAC Policy Configure MAC Configuration Modify Kernel printk behaviour Configure the network: - Setting the hostname/domainname - mount(),unmount() - nfsservctl - ….
13 SECCOMP - REMOVE PRIVILEGES FROM CONTAINERS A root user inside a container running in OpenShift has none of the previous capabilities available!
14 Read Only Mounts /sys /proc/sys /proc/sysrg-trigger /proc/irq /proc/bus
Container Build Time Security - Content in the containers, Trusted Containers - Responsibility of maintaining Container Images - Container Registry - RBAC, Public and Private Registries - Scanning for Vulnerabilities - Integrating Container Scanning and SAST into CI/CD - Future Vulnerabilities - Build Automation to rebuild during fixes
● Red Hat Container Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP 16 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Trusting Container Content
Red Hat provides Trusted Container Images (registry.access.redhat.com) Languages: PHP, Python, Ruby, Perl, Node.js, Java, .Net Core Enterprise Grade JBoss Middleware: EWS, EAP, BPM, BRMS, RH SSO, Data Grid, DataVirt, 3Scale Databases: MySQL, Mongo, PostgreSQL, Maria CICD: Jenkins Partners Images: Container Certification by Red Hat. Publish fixes to the content in this registry and notify you.
18 Red Hat Registry: Container Health Index https://access.redhat.com/articles/2803031
Private Registries What if public registry (like DockerHub) is down? Enterprise security policies may not allow your Container Images to be pushed outside. Caching images in Private Registry - Atomic Registry with RBAC - JFrog Artifactory - Docker Trusted Registry
20 RESTRICT WHERE YOUR CONTAINERS COME FROM - name: allow-images-from-internal-registry onResources: - resource: pods - resource: builds matchIntegratedRegistry: false - name: allow-images-from-dockerhub onResources: - resource: pods - resource: builds matchRegistries: - docker.io
Responsibilities in the new paradigm Operations - Maintain Trusted OS Base Images (RHEL, RHEL-Atomic) - Ensure these are good with Linux Kernel System Engineers/Architects - Maintain Middleware Images - Control build process - S2I, CICD - Reference Architectures with Trusted middleware Development teams - Write code that layers on approved images - Ensure code is clean, opensource software vullnerabilities are handled
Container Scanning Frequency Scan containers as soon as they are created Scan containers that get into registry Ongoing basis- Identify any new vulnerabilities “Deny execution of containers that are vulnerable”
23 Scanning containers when created https://www.youtube.com/watch?v=65BnTLcDAJI Run the scan at this point
Scanning Tools Atomic Scan - configurable with different scanners OpenScap Scanner - also built into CloudForms BlackDuck JFrog XRay
25 Identify Vulnerabilites on an ongoing basis
26 Vulnerable? CloudForms takes Action!
27 Prevent Image From Running
28 Build Automation - when there are updated images
Container Platform Security - Authentication - Authorization - Running Privileged Containers - Network Isolation - Securing communication between hosts - Storage Security - Deploying workloads to specific hosts of your choice
API Authentication • OAuth Access Token – Obtained from OAuth server using endpoints – Sent as • X.509 Client Certs – HTTPS connection – API Server verifies against a trusted cert authority bundle – API Server creates and distributes certs to Controllers to authenticate themselves • Request with invalid token or cert gets a 401 • No cert or token gets system:anonymous user and system: unauthenticated virtual group <master>/oauth/authorize <master>/oauth/token Authorization: Bearer access_token=…​
Authentication OAuth Client OAuth Server Master Client Types: openshift-web-console openshift-browser-client openshift-challenging-client Identity Provider 1. Authentication Request 2. Determine Identity 3. Access token Configured Identity Providers: - LDAP - GitHub - GitLab - Google - OpenID Connect - HTPasswd Authentication Requests: <master>/oauth/authorize WWW-authenticate <master>/oauth/token/request
Authorization RoleBinding associates Users/Groups with Roles - Cluster RoleBindings - Project RoleBindings
33 Container Deployment Permissions (SCC)
Network Isolation with Network Policy Objects Add Network Policies To Allow Specific Incoming Traffic
35 Secured Communications between Hosts Secures cluster communications with IPsec ● Encryption between all Master and Node hosts (L3) ● Uses OpenShift CA and existing certificates ● Simple setup via policy defn ○ Groups (e.g. subnets) ○ Individual hosts Master P1 Nodes P2 172.16.0.0/16
36 Secure storage by using ● SELinux access controls ● Secure mounts ● Supplemental group IDs for shared storage Securing Storage attached to Containers
37 Isolate Workloads by labeling Nodes Node 1 east Node 2 east Node 1 west Node 2 west Master / Scheduler $ oadm new-project myproject --node-selector='type=user-node,region=east' pod pod
38 Securing federated clusters across data centers or environments ● Authentication and authorization ● API endpoints ● Secrets ● Namespaces FEDERATED CLUSTERS (Roadmap) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016
39 FEDERATED CLUSTERS (Roadmap) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 API Repl Ctrl Ubernetes state API Repl Ctrl Kubernetes Cluster state API Repl Ctrl Kubernetes Cluster state
Application Security - Running as Containers - API Management - Red Hat Single Sign-on - HTTP(s) - Securing sensitivedata as Secrets - Calling services running outside a Container Platform
41 Container platform & application APIs ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API Management
No SSL My App http://myapp.mydomain.com Router My App My App
Edge Termination My App https://myapp.mydomain.com Router My App My App
Passthrough Termination My App https://myapp.mydomain.com Router My App My App
Reencrypt Termination My App https://myapp.mydomain.com Router My App My App
Secrets Sensitive Info: Passwords, Client Config files, dockercfg etc used by application containers provided as secrets Never come to rest on Nodes Stored in ETCD. Encrypted starting OCP 3.6.1 kubernetesMasterConfig: apiServerArguments: experimental-encryption-provider-config: - /path/to/encryption.config
47 Calling External Services using Egress Router The OpenShift egress router runs a service that redirects egress pod traffic to one or more specified remote servers, using a pre-defined source IP address that can be whitelisted on the remote server. NODE IP1 EGRESS ROUTER POD IP1 EGRESS SERVICE INTERNAL-IP:8080 EXTERNAL SERVICE Whitelist: IP1 POD POD POD ... - name: EGRESS_DESTINATION value: | 80 tcp 1.2.3.4 8080 tcp 5.6.7.8 80 8443 tcp 9.10.11.12 443 13.14.15.16 ...
Signing GPG Keyring policy.json Signed OpenShift Node OpenShift Registry image-auditor role gpg2 --gen-key atomic push --sign-by oc adm verify-image-signature Cluster Admin Unsecure Container Ansible for Key Propagation OpenShift Node Tenant Select from Content imageStreams templates images if/then sandboxProject productionProject nodeLabelSelector nodeLabelSelector 1 2 3 1 Tenant Usage Steps Cluster Admin Setup Steps 2 3 Upcoming!!
Thank you!!
Ad

Recommended

Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
Phil Estes
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016
Phil Estes
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Zach Hill
 
Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?Docker Security: Are Your Containers Tightly Secured to the Ship?
Docker Security: Are Your Containers Tightly Secured to the Ship?
Michael Boelen
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017
Gordon Haff
 
Docker security introduction-task-2016
Docker security introduction-task-2016Docker security introduction-task-2016
Docker security introduction-task-2016
Ricardo Gerardi
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
Docker, Inc.
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
Dieter Reuter
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
Docker, Inc.
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
Docker, Inc.
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Ad

More Related Content

What's hot (20)

DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
Docker, Inc.
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
Dieter Reuter
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
Docker, Inc.
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
Docker, Inc.
 
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
DockerCon EU 2015: Docker and PCI-DSS - Lessons learned in a security sensiti...
Docker, Inc.
 
Container Security
Container SecurityContainer Security
Container Security
Salman Baset
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
Anis LARGUEM
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Rooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in DockerRooting Out Root: User namespaces in Docker
Rooting Out Root: User namespaces in Docker
Phil Estes
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
Sreenivas Makam
 
Docker Security in Production Overview
Docker Security in Production OverviewDocker Security in Production Overview
Docker Security in Production Overview
Delve Labs
 
DockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker SecurityDockerCon SF 2015: Docker Security
DockerCon SF 2015: Docker Security
Docker, Inc.
 
Docker Security - Continuous Container Security
Docker Security - Continuous Container SecurityDocker Security - Continuous Container Security
Docker Security - Continuous Container Security
Dieter Reuter
 
Oscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to ProductionOscon London 2016 - Docker from Development to Production
Oscon London 2016 - Docker from Development to Production
Patrick Chanezon
 
Understanding container security
Understanding container securityUnderstanding container security
Understanding container security
John Kinsella
 
Docker Security and Content Trust
Docker Security and Content TrustDocker Security and Content Trust
Docker Security and Content Trust
ehazlett
 
A Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container PlatformsA Survey of Container Security in 2016: A Security Update on Container Platforms
A Survey of Container Security in 2016: A Security Update on Container Platforms
Salman Baset
 
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron GrattafioriThe Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
The Golden Ticket: Docker and High Security Microservices by Aaron Grattafiori
Docker, Inc.
 
Docker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and securityDocker, Linux Containers (LXC), and security
Docker, Linux Containers (LXC), and security
Jérôme Petazzoni
 
Docker and kernel security
Docker and kernel securityDocker and kernel security
Docker and kernel security
smart_bit
 
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
DockerCon EU 2015: Shipping Manifests, Bill of Lading and Docker Metadata and...
Docker, Inc.
 
Docker 1.11 Presentation
Docker 1.11 PresentationDocker 1.11 Presentation
Docker 1.11 Presentation
Sreenivas Makam
 
Docker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your containerDocker security: Rolling out Trust in your container
Docker security: Rolling out Trust in your container
Ronak Kogta
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
Docker, Inc.
 

Similar to Veer's Container Security (20)

Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
Patrick Chanezon
 
containerD
containerDcontainerD
containerD
strikr .
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
Arun prasath
 
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
LogeekNightUkraine
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
WSO2
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7
Etsuji Nakai
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...
High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...
High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...
PutraChandra7
 
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Patrick Chanezon
 
Docker containers introduction and its usage
Docker containers introduction and its usageDocker containers introduction and its usage
Docker containers introduction and its usage
saurabh22062
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
Stefan Schimanski
 
Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015Linux Containers and Docker SHARE.ORG Seattle 2015
Linux Containers and Docker SHARE.ORG Seattle 2015
Filipe Miranda
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
All Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container Platform
All Things Open
 
Oscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby projectOscon 2017: Build your own container-based system with the Moby project
Oscon 2017: Build your own container-based system with the Moby project
Patrick Chanezon
 
containerD
containerDcontainerD
containerD
strikr .
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
Salman Baset
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
Nicolas De Loof
 
Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment Docker - Demo on PHP Application deployment
Docker - Demo on PHP Application deployment
Arun prasath
 
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
Ivan Zhuravel and Ihor Khlaponin "DC/OS vs Kubernetes. Let the Fight Begin!"
LogeekNightUkraine
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
WSO2
 
Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7Linux Container Technology inside Docker with RHEL7
Linux Container Technology inside Docker with RHEL7
Etsuji Nakai
 
Container security
Container securityContainer security
Container security
Anthony Chow
 
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout SuiteCloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
Cloud Security Hardening та аудит хмарної безпеки за допомогою Scout Suite
OWASP Kyiv
 
Containers and workload security an overview
Containers and workload security an overview Containers and workload security an overview
Containers and workload security an overview
Krishna-Kumar
 
High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...
High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...
High%20Level%20-%20OpenShift%204%20Technical%20Deep%20Dive%20-%202024%20-%20I...
PutraChandra7
 
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Docker Azure Friday OSS March 2017 - Developing and deploying Java & Linux on...
Patrick Chanezon
 
Docker containers introduction and its usage
Docker containers introduction and its usageDocker containers introduction and its usage
Docker containers introduction and its usage
saurabh22062
 
Keystone - Openstack Identity Service
Keystone - Openstack Identity Service Keystone - Openstack Identity Service
Keystone - Openstack Identity Service
Prasad Mukhedkar
 
Beyond static configuration
Beyond static configurationBeyond static configuration
Beyond static configuration
Stefan Schimanski
 
Ad

Recently uploaded (20)

Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AIScaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
Scaling GraphRAG: Efficient Knowledge Retrieval for Enterprise AI
danshalev
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
Societal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainabilitySocietal challenges of AI: biases, multilinguism and sustainability
Societal challenges of AI: biases, multilinguism and sustainability
Jordi Cabot
 
FL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full VersionFL Studio Producer Edition Crack 2025 Full Version
FL Studio Producer Edition Crack 2025 Full Version
tahirabibi60507
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdfMicrosoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
Microsoft AI Nonprofit Use Cases and Live Demo_2025.04.30.pdf
TechSoup
 
Top 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docxTop 10 Client Portal Software Solutions for 2025.docx
Top 10 Client Portal Software Solutions for 2025.docx
Portli
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)Who Watches the Watchmen (SciFiDevCon 2025)
Who Watches the Watchmen (SciFiDevCon 2025)
Allon Mureinik
 
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Requirements in Engineering AI- Enabled Systems: Open Problems and Safe AI Sy...
Lionel Briand
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025PDF Reader Pro Crack Latest Version FREE Download 2025
PDF Reader Pro Crack Latest Version FREE Download 2025
mu394968
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRYLEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
LEARN SEO AND INCREASE YOUR KNOWLDGE IN SOFTWARE INDUSTRY
NidaFarooq10
 
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
How to Batch Export Lotus Notes NSF Emails to Outlook PST Easily?
steaveroggers
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025Why Orangescrum Is a Game Changer for Construction Companies in 2025
Why Orangescrum Is a Game Changer for Construction Companies in 2025
Orangescrum
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Ad

Veer's Container Security

  • 1. @OpenShift RHOpenShift Container Security Presenter: Veer Muchandi Title: Principal Architect - Container Solutions Social Handle: @VeerMuchandi Blogs: https://blog.openshift.com/author/veermuchandi/
  • 2. What Are Containers? ● Sandboxed application processes on a shared Linux OS kernel ● Simpler, lighter, and denser than virtual machines ● Portable across different environments ● Package my application and all of its dependencies ● Deploy to any environment in seconds and enable CI/CD ● Easily access and share containerized components INFRASTRUCTURE APPLICATIONS It Depends on Who You Ask 2
  • 5. Container Host Security Linux Technologies - Namespaces for Isolation - Seccomp - Read Only Mounts - SELinux - MCS - RHEL Atomic Base Image build your applications - RHEL or RHEL-Atomic
  • 7. Kernel provides process isolation by creating separate namespaces for containers PID namespaces allow processes in different containers to have the same PID Network namespaces allows container to use separate virtual network stack, loopback device and process space Mount namespaces isolate the set of file system mount points UTS namespaces isolate system identifiers – nodename and domainname IPC namespaces isolate certain interprocess communication (IPC) resources User allow you to specify a range of host UIDs dedicated to the container. A process can have full root privileges for operations inside the container.
  • 8. Cgroups ensure that a single container cannot exhaust a large amount of system resources Cgroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks
  • 9. 9 SELinux and Multi Category Security ● Mandatory Access Control ● SElinux is a LABELING system ● Every Process has a Label ● Every file, Directory, System object has a Label ● Policy rules control access between labeled processes and labeled objects ● The Kernel enforces the rules
  • 10. 10 SELINUX - MAC - MCS - Process system_u:system_r:container_runtime_t:s0 SElinux Policy module for the container The OOTB SElinux policy container.te defines what you can execute and access with the label container_runtime_t [root@osemaster ~]# ps -efZ | grep docker-containerd-shim-current system_u:system_r:container_runtime_t:s0 root 3035 1479 0 Feb15 ? 00:00:01 /usr/bin/docker-containerd-shim-current 4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /var/run/docker/libcontainerd/4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /usr/libexec/docker/docker-runc-current
  • 11. 11 SELINUX - MAC - MCS - Files container_var_lib_t / svirt_sandbox_file_t SElinux Policy module for the container [root@osemaster ~]# ls -lZ /var/lib/docker/containers/97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737 / -rw-r-----. root root system_u:object_r:container_var_lib_t:s0 97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737-json.log -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 config.v2.json -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 hostconfig.json -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 hostname -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 hosts -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 resolv.conf -rw-r--r--. root root system_u:object_r:container_var_lib_t:s0 resolv.conf.hash drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 secrets drwx------. root root system_u:object_r:container_var_lib_t:s0 shm
  • 12. 12 SECCOMP - DROPPING PRIVILEGES FROM CONTAINERS CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_NET_ADMIN CAP_SYS_ADMIN Modify process capabilities Insert/Remove kernel modules Modify Kernel Memory Configure process accounting Modify Priority of processes Override Resource Limits Modify the system clock Configure tty devices Write the audit log Configure Audit Subsystem Ignore Kernel MAC Policy Configure MAC Configuration Modify Kernel printk behaviour Configure the network: - Setting the hostname/domainname - mount(),unmount() - nfsservctl - ….
  • 13. 13 SECCOMP - REMOVE PRIVILEGES FROM CONTAINERS A root user inside a container running in OpenShift has none of the previous capabilities available!
  • 15. Container Build Time Security - Content in the containers, Trusted Containers - Responsibility of maintaining Container Images - Container Registry - RBAC, Public and Private Registries - Scanning for Vulnerabilities - Integrating Container Scanning and SAST into CI/CD - Future Vulnerabilities - Build Automation to rebuild during fixes
  • 16. ● Red Hat Container Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP 16 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Trusting Container Content
  • 17. Red Hat provides Trusted Container Images (registry.access.redhat.com) Languages: PHP, Python, Ruby, Perl, Node.js, Java, .Net Core Enterprise Grade JBoss Middleware: EWS, EAP, BPM, BRMS, RH SSO, Data Grid, DataVirt, 3Scale Databases: MySQL, Mongo, PostgreSQL, Maria CICD: Jenkins Partners Images: Container Certification by Red Hat. Publish fixes to the content in this registry and notify you.
  • 18. 18 Red Hat Registry: Container Health Index https://access.redhat.com/articles/2803031
  • 19. Private Registries What if public registry (like DockerHub) is down? Enterprise security policies may not allow your Container Images to be pushed outside. Caching images in Private Registry - Atomic Registry with RBAC - JFrog Artifactory - Docker Trusted Registry
  • 20. 20 RESTRICT WHERE YOUR CONTAINERS COME FROM - name: allow-images-from-internal-registry onResources: - resource: pods - resource: builds matchIntegratedRegistry: false - name: allow-images-from-dockerhub onResources: - resource: pods - resource: builds matchRegistries: - docker.io
  • 21. Responsibilities in the new paradigm Operations - Maintain Trusted OS Base Images (RHEL, RHEL-Atomic) - Ensure these are good with Linux Kernel System Engineers/Architects - Maintain Middleware Images - Control build process - S2I, CICD - Reference Architectures with Trusted middleware Development teams - Write code that layers on approved images - Ensure code is clean, opensource software vullnerabilities are handled
  • 22. Container Scanning Frequency Scan containers as soon as they are created Scan containers that get into registry Ongoing basis- Identify any new vulnerabilities “Deny execution of containers that are vulnerable”
  • 23. 23 Scanning containers when created https://www.youtube.com/watch?v=65BnTLcDAJI Run the scan at this point
  • 24. Scanning Tools Atomic Scan - configurable with different scanners OpenScap Scanner - also built into CloudForms BlackDuck JFrog XRay
  • 25. 25 Identify Vulnerabilites on an ongoing basis
  • 28. 28 Build Automation - when there are updated images
  • 29. Container Platform Security - Authentication - Authorization - Running Privileged Containers - Network Isolation - Securing communication between hosts - Storage Security - Deploying workloads to specific hosts of your choice
  • 30. API Authentication • OAuth Access Token – Obtained from OAuth server using endpoints – Sent as • X.509 Client Certs – HTTPS connection – API Server verifies against a trusted cert authority bundle – API Server creates and distributes certs to Controllers to authenticate themselves • Request with invalid token or cert gets a 401 • No cert or token gets system:anonymous user and system: unauthenticated virtual group <master>/oauth/authorize <master>/oauth/token Authorization: Bearer access_token=…​
  • 31. Authentication OAuth Client OAuth Server Master Client Types: openshift-web-console openshift-browser-client openshift-challenging-client Identity Provider 1. Authentication Request 2. Determine Identity 3. Access token Configured Identity Providers: - LDAP - GitHub - GitLab - Google - OpenID Connect - HTPasswd Authentication Requests: <master>/oauth/authorize WWW-authenticate <master>/oauth/token/request
  • 32. Authorization RoleBinding associates Users/Groups with Roles - Cluster RoleBindings - Project RoleBindings
  • 34. Network Isolation with Network Policy Objects Add Network Policies To Allow Specific Incoming Traffic
  • 35. 35 Secured Communications between Hosts Secures cluster communications with IPsec ● Encryption between all Master and Node hosts (L3) ● Uses OpenShift CA and existing certificates ● Simple setup via policy defn ○ Groups (e.g. subnets) ○ Individual hosts Master P1 Nodes P2 172.16.0.0/16
  • 36. 36 Secure storage by using ● SELinux access controls ● Secure mounts ● Supplemental group IDs for shared storage Securing Storage attached to Containers
  • 37. 37 Isolate Workloads by labeling Nodes Node 1 east Node 2 east Node 1 west Node 2 west Master / Scheduler $ oadm new-project myproject --node-selector='type=user-node,region=east' pod pod
  • 38. 38 Securing federated clusters across data centers or environments ● Authentication and authorization ● API endpoints ● Secrets ● Namespaces FEDERATED CLUSTERS (Roadmap) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016
  • 39. 39 FEDERATED CLUSTERS (Roadmap) ROLES & ACCESS MANAGEMENT Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 API Repl Ctrl Ubernetes state API Repl Ctrl Kubernetes Cluster state API Repl Ctrl Kubernetes Cluster state
  • 40. Application Security - Running as Containers - API Management - Red Hat Single Sign-on - HTTP(s) - Securing sensitivedata as Secrets - Calling services running outside a Container Platform
  • 41. 41 Container platform & application APIs ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API Management
  • 46. Secrets Sensitive Info: Passwords, Client Config files, dockercfg etc used by application containers provided as secrets Never come to rest on Nodes Stored in ETCD. Encrypted starting OCP 3.6.1 kubernetesMasterConfig: apiServerArguments: experimental-encryption-provider-config: - /path/to/encryption.config
  • 47. 47 Calling External Services using Egress Router The OpenShift egress router runs a service that redirects egress pod traffic to one or more specified remote servers, using a pre-defined source IP address that can be whitelisted on the remote server. NODE IP1 EGRESS ROUTER POD IP1 EGRESS SERVICE INTERNAL-IP:8080 EXTERNAL SERVICE Whitelist: IP1 POD POD POD ... - name: EGRESS_DESTINATION value: | 80 tcp 1.2.3.4 8080 tcp 5.6.7.8 80 8443 tcp 9.10.11.12 443 13.14.15.16 ...
  • 48. Signing GPG Keyring policy.json Signed OpenShift Node OpenShift Registry image-auditor role gpg2 --gen-key atomic push --sign-by oc adm verify-image-signature Cluster Admin Unsecure Container Ansible for Key Propagation OpenShift Node Tenant Select from Content imageStreams templates images if/then sandboxProject productionProject nodeLabelSelector nodeLabelSelector 1 2 3 1 Tenant Usage Steps Cluster Admin Setup Steps 2 3 Upcoming!!