SlideShare ist ein Scribd-Unternehmen logo

Securing Applications and Pipelines on a Container Platform

All Things Open
All Things Open

Presented at: All Things Open 2019 Presented by: Veer Muchandi, Red Hat Inc

Technologie
1 von 63
Downloaden Sie, um offline zu lesen
@OpenShift RHOpenShift Securing Applications on a Container Platform Presenter: Veer Muchandi Title: Chief Architect, Container Solutions, NACS Social Handle: @VeerMuchandi Blogs: https://blog.openshift.com/author/veermuchandi/
Session Goals Considerations for Security on a Container Platform Containers - A quick look Container Security at Host Operating System Container Security at Build time Container Security at Runtime Container Platform (K8S Cluster) - Additional Security Features Application Security
Understanding Containers
Common Misunderstanding
Right Way
Can malicious containers steal info?
Can bad processes choke others?
How can processes with different technologies coexist?
Container separation ● Containers all share the same kernel ● Containers security is about controlling the access to the kernel ● Limit the ability of the container to negatively impact ○ the infrastructure ○ other containers
Container Security Importance of Host OS And Windows
Linux Containers Architecture
Isolation with Linux Namespaces PID namespace The first process is pid 1 in the container. Namespace destroyed as PID exits. Cannot see/signal processes in parent pid namespace or other pid namespaces Network namespace Allows container to use separate virtual network stack, loopback device and process space veth pairs are created to add interfaces from initial network namespace to container network namespace Mount namespace Isolate the set of file system mount points. Mount sys directories as read only and nodev Each process gets its own mount table i.e. view of the filesystem UTS namespace isolate system identifiers – hostname and domain name I IPC namespace isolate certain interprocess communication (IPC) resources User namespace Allow you to specify a range of host UIDs dedicated to the container. A process can have full root privileges for operations inside the container mapped to non-root user on host.
Linux CGroups Ensures that a single container cannot exhaust a large amount of system resources CGroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks In a container: # ls /sys/fs/cgroup/ blkio cpu cpuacct cpuacct,cpu cpuset devices freezer hugetlb memory net_cls net_prio net_prio,net_cls perf_event pids systemd # cat /sys/fs/cgroup/cpu/cpu.shares 2 # cat /sys/fs/cgroup/memory/memory.limit_in_bytes 9223372036854771712 Device CGroups ● specify which device nodes can be used within the container ● blocks the processes from creating and using device nodes that could be used to attack the host.
14 SELinux and Type Enforcement ● Implements Mandatory Access Control ● A LABELING system ● Every process has a LABEL. Every file, directory, and system object has a LABEL ● Policy rules control access between labeled processes and labeled objects ● The kernel enforces the rules. ● Type Enforcement protects the host system from container processes All container processes run with type svirt_lxc_net_t Content within the container is labeled with type svirt_sandbox_file_t svirt_lxc_net_t ● allowed to manage any content labeled svirt_sandbox_file_t ● able to read/execute most labels under /usr on the host ● not allowed to open/write to any other labels on the system ● not allowed to read any default labels in /var, /root, /home etc
MCS protects Containers from each other Based on Multi Level Security (MLS) Docker Daemon picks out unique random MCS Label s0:c1,c2 Assigns MCS Label to all content Launches the container processes with same label Container Processes can only read/write their own files - Kernel enforces this Multi Category Security (MCS) Enforcement
https://people.redhat.com/duffy/selinux/seli nux-coloring-book_A4-Stapled.pdf
17 CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_NET_ADMIN CAP_SYS_ADMIN Modify process capabilities Insert/Remove kernel modules Modify Kernel Memory Configure process accounting Modify Priority of processes Override Resource Limits Modify the system clock Configure tty devices Write the audit log Configure Audit Subsystem Ignore Kernel MAC Policy Configure MAC Configuration Modify Kernel printk behaviour Configure the network: Catch all - Setting the hostname/domainname - mount(),unmount() - nfsservctl - …. Linux Capabilities Kernel 2.2 divides root privileges into 32 distinct capabilities Root user with all capabilities is all powerful!!
Drop Capabilities ● chown the ability to make arbitrary changes to file UIDs and GIDs ● dac_override allows root to bypass file read, write, and execute permission checks ● fowner ability to bypass permission checks on operations where the filesystem process UID should match file UID ● fsetid override file owner and group reqmts when setting setuid or setgid bits on a file ● kill root owned process can send kill signals to non root processes ● setpcap a process can change its current capability set within its bounding set ● net_bind_service you can bind to privileged ports (e.g., those below 1024) ● net_raw allows a process to spy on packets on its network ● sys_chroot allows your processes to chroot into a different rootfs ● mknod allows your processes to create device nodes ● audit_write you can write a message to kernel auditing log ● set_fcap allows you to set file capabilities on a file system Default capabilities available for privileged processes in a Docker Container Do really think containers need these default capabilities in production ?? A good strategy is to drop all capabilities and just add the needed ones back.. Example # docker run -d --cap-add SYS_TIME ntpd
Secure Computing Mode - Seccomp Filters system calls from a container to the kernel. Uses Berkeley Packet Filter (BPF) system Children to a container process will inherit the BPF filter Provides more fine-grained control than capabilities, giving an attacker a limited number of syscalls from the container Restricted and allowed calls are arranged in profiles, pass different profiles to different containers Specify your own policy # podman run --security-opt seccomp=/path/to/custom/profile.json <container>
20 Read Only Mounts Linux kernel file systems have to be mounted in a container environment or processes would fail to run Fortunately, most of these file systems can be mounted as "read-only" on RHEL. /sys /proc/sys /proc/sysrg-trigger /proc/irq /proc/bus OpenShift also blocks the ability of the privileged container processes from re-mounting the file systems as read/write
Container Build Time Security
● Red Hat Container Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP 22 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Trusting Container Content
Trusted containers from known sources that provide certified and supported images. Example Red Hat provides Trusted Container Images (registry.redhat.io) as part of OpenShift Service Catalog. Publish fixes to the content in this registry and notify you. Languages: PHP, Python, Ruby, Perl, Node.js, Java, .Net Core Enterprise Grade JBoss Middleware: EWS, EAP, BPM, BRMS, RH SSO, Data Grid, DataVirt, 3Scale Databases: MySQL, Mongo, PostgreSQL, Maria CICD: Jenkins Partners Images: Container Certification by Red Hat. Trusted Container Content
24 Container Health Index https://access.redhat.com/articles/2803031
Container Image Provenance ● Did the image come from a trusted source? ● Are you verifying image signatures? ● Are you signing container images? $ podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar Example: Image signing with Podman
Private Registries Enterprise security policies may not allow your Container Images to be pushed to a registry outside. Or what if public registry (like DockerHub) is down? Caching images in Private Registry - Red Hat’s Quay - JFrog Artifactory - Docker Trusted Registry
27 Restrict Registry Sources $ oc edit images.config.openshift.io cluster spec: registrySources: blockedRegistries: - docker.io Example: Restricting Container Registries in OpenShift ● Restrict pulling images from specific registries of your choice
Container Image Management Responsibilities Operations/ Infrastructure admin - Maintain Trusted OS Base Images (RHEL, RHEL-Atomic) - Ensure these are good with Linux Kernel Middleware Engineers/Architects - Maintain Middleware Images - Control build process - S2I, CICD - Reference Architectures with Trusted middleware Development teams - Write code that layers on approved images - Ensure code is clean, open source software vulnerabilities are handled
Securing Pipelines and Runtime
Container Scanning Frequency Scan containers as soon as they are created Scan containers that get into enterprise registry Ongoing basis- Identify any new vulnerabilities
31 Scanning Containers at Creation https://www.youtube.com/watch?v=65BnTLcDAJI Run image scan at this point
Scanning Tools on an Ongoing basis Claire scanner with Red Hat’s Quay BlackDuck JFrog XRay Twistlock Sysdig
Additional Container Platform Security Features
API Authentication • OAuth Access Token – Obtained from OAuth server using endpoints – Sent as • X.509 Client Certs – HTTPS connection – API Server verifies against a trusted cert authority bundle – API Server creates and distributes certs to Controllers to authenticate themselves • Request with invalid token or cert gets a 401 • No cert or token gets system:anonymous user and system: unauthenticated virtual group <master>/oauth/authorize <master>/oauth/token Authorization: Bearer access_token=…
Authentication OAuth Client OAuth Server Master Client Types: openshift-web-console openshift-browser-client openshift-challenging-client Identity Provider 1. Authentication Request 2. Determine Identity 3. Access token Configured Identity Providers: - LDAP - GitHub - GitLab - Google - OpenID Connect - HTPasswd - Keystone Authentication Requests: <master>/oauth/authorize WWW-authenticate <master>/oauth/token/request
Authorization RoleBinding associates Users/Groups with Roles - Cluster RoleBindings - Project RoleBindings In Kubernetes, containers in pods run with the role assigned to a special user called Service Account
37 Container Deployment Permissions with Pod Security Policies (PSP) or with SCC
38 Secured Communications between Hosts Secures cluster communications with IPsec ● Encryption between all Master and Node hosts (L3) ● Uses OpenShift CA and existing certificates ● Simple setup via policy defn ○ Groups (e.g. subnets) ○ Individual hosts Master P1 Nodes P2 172.16.0.0/16
Microsegmentation with Network Policy Objects ● Lock everything by default ● Add Network Policies to allow specific ingress traffic
40 Secure storage by using ● SELinux access controls ● Secure mounts ● Supplemental group IDs for shared storage Securing Storage attached to Containers
41 Isolate Workloads by labeling Nodes Node 1 east Node 2 east Node 1 west Node 2 west Master / Scheduler $ oadm new-project myproject --node-selector='type=user-node,region=east' pod pod
Securing Applications (running as containers)
Single-Sign On Client-Side Web App Mobile App KeyCloak Service 1 Service 2 User 1 Auth Token Token Token Service 3 Token ● Open source access & identity manager ● Supports OIDC (OAuth) and SAML ● Identity Brokering ● Identity Federation with LDAP directory services ● Client libraries for JavaEE, Spring, Node.js, & more ● Event auditing ● Based on upstream Keycloak project KeyCloak
44 Container platform & application APIs ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API Management
SSL at Ingress My App https://myapp.mydomain.com Router My AppMy App Edge termination My App https://myapp.mydomain.com Router My App My App Passthrough termination My App https://myapp.mydomain.com Router My AppMy App Reencrypt
Secrets Sensitive Info: Passwords, Client Config files, dockercfg etc used by application containers provided as secrets Never come to rest on Nodes Stored in etcd and encrypted kubernetesMasterConfig: apiServerArguments: experimental-encryption-provider-config: - /path/to/encryption.config
47 Calling External Services using Egress Router The OpenShift egress router runs a service that redirects egress pod traffic to one or more specified remote servers, using a pre-defined source IP address that can be whitelisted on the remote server. NODE IP1 EGRESS ROUTER POD IP1 EGRESS SERVICE INTERNAL-IP:8080 EXTERNAL SERVICE Whitelist: IP1 POD POD POD ... - name: EGRESS_DESTINATION value: | 80 tcp 1.2.3.4 8080 tcp 5.6.7.8 80 8443 tcp 9.10.11.12 443 13.14.15.16 ...
Securing Microservices on Service Mesh
Istio Concepts - Sidecar Proxy 49 SideCar Proxy - Intercepts all network communication between microservices - Encapsulates Service Infrastructure code - Application code (business logic) unaware of Sidecar proxy - Examples - Linkerd, Envoy
Istio Concepts - Service Mesh 50 Network of Microservices Service Mesh is a dedicated infrastructure layer to handle service-service communications Typically implemented as an array of lightweight network proxies deployed alongside application code Interconnected Proxies form a mesh network
Istio Service Mesh on OpenShift Connect, Manage, and Secure Microservices, transparently ● Intelligent Routing ● Load Balancing ● Service Resilience ● Telemetry and Reporting ● Policy Enforcement ● Content based Filtering (Layer 7) ● mTLS between services ● East-West traffic control
Application Traffic Encryption with Istio Auth Uses Service Account as Identity. SPIFFE Id format spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> Mutual TLS between sidecars Istio CA - Generate cert pair and SPIFFE key for each SA - Distribute key and cert pairs - Rotate keys and certs periodically - Revoke key and cert when need
API Management SSL Secrets Connecting to external services Summary: Application Security
Questions
@OpenShift RHOpenShift Thank you!!
62 SELINUX - MAC - MCS - Process system_u:system_r:container_runtime_t:s0 SElinux Policy module for the container The OOTB SElinux policy container.te defines what you can execute and access with the label container_runtime_t [root@osemaster ~]# ps -efZ | grep docker-containerd-shim-current system_u:system_r:container_runtime_t:s0 root 3035 1479 0 Feb15 ? 00:00:01 /usr/bin/docker-containerd-shim-current 4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /var/run/docker/libcontainerd/4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /usr/libexec/docker/docker-runc-current
63 SELINUX - MAC - MCS - Files container_var_lib_t / svirt_sandbox_file_t SElinux Policy module for the container [root@osemaster ~]# ls -lZ /var/lib/docker/containers/97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737 / -rw-r-----. root root system_u:object_r:container_var_lib_t:s0 97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737-json.log -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 config.v2.json -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 hostconfig.json -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 hostname -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 hosts -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 resolv.conf -rw-r--r--. root root system_u:object_r:container_var_lib_t:s0 resolv.conf.hash drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 secrets drwx------. root root system_u:object_r:container_var_lib_t:s0 shm

Empfohlen

Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Introduction to Containers: From Docker to Kubernetes and everything in-between
Introduction to Containers: From Docker to Kubernetes and everything in-betweenIntroduction to Containers: From Docker to Kubernetes and everything in-between
Introduction to Containers: From Docker to Kubernetes and everything in-betweenAll Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...All Things Open
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…All Things Open
 

Empfohlen

Advanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAdvanced Blockchain Technologies on Privacy and Scalability
Advanced Blockchain Technologies on Privacy and ScalabilityAll Things Open
 
Introduction to Containers: From Docker to Kubernetes and everything in-between
Introduction to Containers: From Docker to Kubernetes and everything in-betweenIntroduction to Containers: From Docker to Kubernetes and everything in-between
Introduction to Containers: From Docker to Kubernetes and everything in-betweenAll Things Open
 
Securing Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformSecuring Applications and Pipelines on a Container Platform
Securing Applications and Pipelines on a Container PlatformAll Things Open
 
How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016How Secure Is Your Container? ContainerCon Berlin 2016
How Secure Is Your Container? ContainerCon Berlin 2016Phil Estes
 
Docker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxDocker Security - Secure Container Deployment on Linux
Docker Security - Secure Container Deployment on LinuxMichael Boelen
 
Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...Containers in depth – understanding how containers work to better work with c...
Containers in depth – understanding how containers work to better work with c...All Things Open
 
Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Ten layers of container security for CloudCamp Nov 2017
Ten layers of container security for CloudCamp Nov 2017Gordon Haff
 
What you most likely did not know about sudo…
What you most likely did not know about sudo…What you most likely did not know about sudo…
What you most likely did not know about sudo…All Things Open
 
Integrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsIntegrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsAll Things Open
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Jose Manuel Ortega Candel
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images SecurityJose Manuel Ortega Candel
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...All Things Open
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers securityJose Manuel Ortega Candel
 
Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionJose Manuel Ortega Candel
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerJustin Bui
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
A Tour of Open Source on the Mainframe
A Tour of Open Source on the MainframeA Tour of Open Source on the Mainframe
A Tour of Open Source on the MainframeAll Things Open
 
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTP
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTPConnecting microcontrollers to the cloud using MQTT, BLE, and HTTP
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTPAll Things Open
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Phil Estes
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Docker, Inc.
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryDocker, Inc.
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 
Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 

Weitere ähnliche Inhalte

Was ist angesagt?

Integrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsIntegrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsAll Things Open
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Jose Manuel Ortega Candel
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...All Things Open
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityPhil Estes
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container PlatformAll Things Open
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Zach Hill
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers securityJose Manuel Ortega Candel
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerJustin Bui
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingPhil Estes
 
A Tour of Open Source on the Mainframe
A Tour of Open Source on the MainframeA Tour of Open Source on the Mainframe
A Tour of Open Source on the MainframeAll Things Open
 
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTP
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTPConnecting microcontrollers to the cloud using MQTT, BLE, and HTTP
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTPAll Things Open
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era nexB Inc.
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Phil Estes
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Docker, Inc.
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryDocker, Inc.
 
Container Security
Container SecurityContainer Security
Container SecuritySalman Baset
 

Was ist angesagt? (20)

Integrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source ToolsIntegrating Linux Systems with Active Directory Using Open Source Tools
Integrating Linux Systems with Active Directory Using Open Source Tools
 
Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017Testing Docker Security Linuxlab 2017
Testing Docker Security Linuxlab 2017
 
Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017Testing Docker Images Security -All day dev ops 2017
Testing Docker Images Security -All day dev ops 2017
 
Testing Docker Images Security
Testing Docker Images SecurityTesting Docker Images Security
Testing Docker Images Security
 
Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...Containers in depth – Understanding how containers work to better work with c...
Containers in depth – Understanding how containers work to better work with c...
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
 
Security on a Container Platform
Security on a Container PlatformSecurity on a Container Platform
Security on a Container Platform
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
 
Container security
Container securityContainer security
Container security
 
Everything you need to know about containers security
Everything you need to know about containers securityEverything you need to know about containers security
Everything you need to know about containers security
 
Testing Docker Images Security -NcN edition
Testing Docker Images Security -NcN editionTesting Docker Images Security -NcN edition
Testing Docker Images Security -NcN edition
 
Red Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift MessengerRed Teaming macOS Environments with Hermes the Swift Messenger
Red Teaming macOS Environments with Hermes the Swift Messenger
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
 
A Tour of Open Source on the Mainframe
A Tour of Open Source on the MainframeA Tour of Open Source on the Mainframe
A Tour of Open Source on the Mainframe
 
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTP
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTPConnecting microcontrollers to the cloud using MQTT, BLE, and HTTP
Connecting microcontrollers to the cloud using MQTT, BLE, and HTTP
 
Managing Open Source software in the Docker era
Managing Open Source software in the Docker era Managing Open Source software in the Docker era
Managing Open Source software in the Docker era
 
Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016Innovating Out In The Open - OSCON 2016
Innovating Out In The Open - OSCON 2016
 
Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment Secure Substrate: Least Privilege Container Deployment
Secure Substrate: Least Privilege Container Deployment
 
LlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and NotaryLlinuxKit security, Security Scanning and Notary
LlinuxKit security, Security Scanning and Notary
 
Container Security
Container SecurityContainer Security
Container Security
 

Ähnlich wie Securing Applications and Pipelines on a Container Platform

Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudSalman Baset
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisorChing-Hsuan Yen
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container SecurityPhil Estes
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization WSO2
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationImesh Gunaratne
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationWSO2
 
Container security
Container securityContainer security
Container securityAnthony Chow
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemdAlison Chaiken
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container SecurityJim Barlow
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Neeraj Shrimali
 
Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersVaibhav Sharma
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security ParadigmAnis LARGUEM
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security OverviewSreenivas Makam
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetesTed Jung
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Walid Shaari
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A PrimerPhil Estes
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Anthony Wong
 

Ähnlich wie Securing Applications and Pipelines on a Container Platform (20)

Unraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production CloudUnraveling Docker Security: Lessons From a Production Cloud
Unraveling Docker Security: Lessons From a Production Cloud
 
Secure container: Kata container and gVisor
Secure container: Kata container and gVisorSecure container: Kata container and gVisor
Secure container: Kata container and gVisor
 
Docker London: Container Security
Docker London: Container SecurityDocker London: Container Security
Docker London: Container Security
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
 
Container security
Container securityContainer security
Container security
 
Automotive Grade Linux and systemd
Automotive Grade Linux and systemdAutomotive Grade Linux and systemd
Automotive Grade Linux and systemd
 
Veer's Container Security
Veer's Container SecurityVeer's Container Security
Veer's Container Security
 
Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup. Linux container, namespaces & CGroup.
Linux container, namespaces & CGroup.
 
First steps on CentOs7
First steps on CentOs7First steps on CentOs7
First steps on CentOs7
 
Introduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & ContainersIntroduction to OS LEVEL Virtualization & Containers
Introduction to OS LEVEL Virtualization & Containers
 
Docker Security Paradigm
Docker Security ParadigmDocker Security Paradigm
Docker Security Paradigm
 
Docker Security Overview
Docker Security OverviewDocker Security Overview
Docker Security Overview
 
Container & kubernetes
Container & kubernetesContainer & kubernetes
Container & kubernetes
 
Dockers zero to hero
Dockers zero to heroDockers zero to hero
Dockers zero to hero
 
Exploring Docker Security
Exploring Docker SecurityExploring Docker Security
Exploring Docker Security
 
Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...Containers - Portable, repeatable user-oriented application delivery. Build, ...
Containers - Portable, repeatable user-oriented application delivery. Build, ...
 
Securing Containerized Applications: A Primer
Securing Containerized Applications: A PrimerSecuring Containerized Applications: A Primer
Securing Containerized Applications: A Primer
 
Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势Linux 开源操作系统发展新趋势
Linux 开源操作系统发展新趋势
 

Mehr von All Things Open

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityAll Things Open
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best PracticesAll Things Open
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public PolicyAll Things Open
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...All Things Open
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashAll Things Open
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptAll Things Open
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?All Things Open
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractAll Things Open
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlowAll Things Open
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and SuccessAll Things Open
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with BackgroundAll Things Open
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblyAll Things Open
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksAll Things Open
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptAll Things Open
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramAll Things Open
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceAll Things Open
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamAll Things Open
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in controlAll Things Open
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsAll Things Open
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...All Things Open
 

Mehr von All Things Open (20)

Building Reliability - The Realities of Observability
Building Reliability - The Realities of ObservabilityBuilding Reliability - The Realities of Observability
Building Reliability - The Realities of Observability
 
Modern Database Best Practices
Modern Database Best PracticesModern Database Best Practices
Modern Database Best Practices
 
Open Source and Public Policy
Open Source and Public PolicyOpen Source and Public Policy
Open Source and Public Policy
 
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
Weaving Microservices into a Unified GraphQL Schema with graph-quilt - Ashpak...
 
The State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil NashThe State of Passwordless Auth on the Web - Phil Nash
The State of Passwordless Auth on the Web - Phil Nash
 
Total ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScriptTotal ReDoS: The dangers of regex in JavaScript
Total ReDoS: The dangers of regex in JavaScript
 
What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?What Does Real World Mass Adoption of Decentralized Tech Look Like?
What Does Real World Mass Adoption of Decentralized Tech Look Like?
 
How to Write & Deploy a Smart Contract
How to Write & Deploy a Smart ContractHow to Write & Deploy a Smart Contract
How to Write & Deploy a Smart Contract
 
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
Spinning Your Drones with Cadence Workflows, Apache Kafka and TensorFlow
 
DEI Challenges and Success
DEI Challenges and SuccessDEI Challenges and Success
DEI Challenges and Success
 
Scaling Web Applications with Background
Scaling Web Applications with BackgroundScaling Web Applications with Background
Scaling Web Applications with Background
 
Supercharging tutorials with WebAssembly
Supercharging tutorials with WebAssemblySupercharging tutorials with WebAssembly
Supercharging tutorials with WebAssembly
 
Using SQL to Find Needles in Haystacks
Using SQL to Find Needles in HaystacksUsing SQL to Find Needles in Haystacks
Using SQL to Find Needles in Haystacks
 
Configuration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit InterceptConfiguration Security as a Game of Pursuit Intercept
Configuration Security as a Game of Pursuit Intercept
 
Scaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship ProgramScaling an Open Source Sponsorship Program
Scaling an Open Source Sponsorship Program
 
Build Developer Experience Teams for Open Source
Build Developer Experience Teams for Open SourceBuild Developer Experience Teams for Open Source
Build Developer Experience Teams for Open Source
 
Deploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache BeamDeploying Models at Scale with Apache Beam
Deploying Models at Scale with Apache Beam
 
Sudo – Giving access while staying in control
Sudo – Giving access while staying in controlSudo – Giving access while staying in control
Sudo – Giving access while staying in control
 
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML ApplicationsFortifying the Future: Tackling Security Challenges in AI/ML Applications
Fortifying the Future: Tackling Security Challenges in AI/ML Applications
 
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
Securing Cloud Resources Deployed with Control Planes on Kubernetes using Gov...
 

Kürzlich hochgeladen

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 

Kürzlich hochgeladen (20)

Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Securing Applications and Pipelines on a Container Platform

  • 1. @OpenShift RHOpenShift Securing Applications on a Container Platform Presenter: Veer Muchandi Title: Chief Architect, Container Solutions, NACS Social Handle: @VeerMuchandi Blogs: https://blog.openshift.com/author/veermuchandi/
  • 2. Session Goals Considerations for Security on a Container Platform Containers - A quick look Container Security at Host Operating System Container Security at Build time Container Security at Runtime Container Platform (K8S Cluster) - Additional Security Features Application Security
  • 7. Can bad processes choke others?
  • 8. How can processes with different technologies coexist?
  • 9. Container separation ● Containers all share the same kernel ● Containers security is about controlling the access to the kernel ● Limit the ability of the container to negatively impact ○ the infrastructure ○ other containers
  • 12. Isolation with Linux Namespaces PID namespace The first process is pid 1 in the container. Namespace destroyed as PID exits. Cannot see/signal processes in parent pid namespace or other pid namespaces Network namespace Allows container to use separate virtual network stack, loopback device and process space veth pairs are created to add interfaces from initial network namespace to container network namespace Mount namespace Isolate the set of file system mount points. Mount sys directories as read only and nodev Each process gets its own mount table i.e. view of the filesystem UTS namespace isolate system identifiers – hostname and domain name I IPC namespace isolate certain interprocess communication (IPC) resources User namespace Allow you to specify a range of host UIDs dedicated to the container. A process can have full root privileges for operations inside the container mapped to non-root user on host.
  • 13. Linux CGroups Ensures that a single container cannot exhaust a large amount of system resources CGroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks In a container: # ls /sys/fs/cgroup/ blkio cpu cpuacct cpuacct,cpu cpuset devices freezer hugetlb memory net_cls net_prio net_prio,net_cls perf_event pids systemd # cat /sys/fs/cgroup/cpu/cpu.shares 2 # cat /sys/fs/cgroup/memory/memory.limit_in_bytes 9223372036854771712 Device CGroups ● specify which device nodes can be used within the container ● blocks the processes from creating and using device nodes that could be used to attack the host.
  • 14. 14 SELinux and Type Enforcement ● Implements Mandatory Access Control ● A LABELING system ● Every process has a LABEL. Every file, directory, and system object has a LABEL ● Policy rules control access between labeled processes and labeled objects ● The kernel enforces the rules. ● Type Enforcement protects the host system from container processes All container processes run with type svirt_lxc_net_t Content within the container is labeled with type svirt_sandbox_file_t svirt_lxc_net_t ● allowed to manage any content labeled svirt_sandbox_file_t ● able to read/execute most labels under /usr on the host ● not allowed to open/write to any other labels on the system ● not allowed to read any default labels in /var, /root, /home etc
  • 15. MCS protects Containers from each other Based on Multi Level Security (MLS) Docker Daemon picks out unique random MCS Label s0:c1,c2 Assigns MCS Label to all content Launches the container processes with same label Container Processes can only read/write their own files - Kernel enforces this Multi Category Security (MCS) Enforcement
  • 17. 17 CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_NET_ADMIN CAP_SYS_ADMIN Modify process capabilities Insert/Remove kernel modules Modify Kernel Memory Configure process accounting Modify Priority of processes Override Resource Limits Modify the system clock Configure tty devices Write the audit log Configure Audit Subsystem Ignore Kernel MAC Policy Configure MAC Configuration Modify Kernel printk behaviour Configure the network: Catch all - Setting the hostname/domainname - mount(),unmount() - nfsservctl - …. Linux Capabilities Kernel 2.2 divides root privileges into 32 distinct capabilities Root user with all capabilities is all powerful!!
  • 18. Drop Capabilities ● chown the ability to make arbitrary changes to file UIDs and GIDs ● dac_override allows root to bypass file read, write, and execute permission checks ● fowner ability to bypass permission checks on operations where the filesystem process UID should match file UID ● fsetid override file owner and group reqmts when setting setuid or setgid bits on a file ● kill root owned process can send kill signals to non root processes ● setpcap a process can change its current capability set within its bounding set ● net_bind_service you can bind to privileged ports (e.g., those below 1024) ● net_raw allows a process to spy on packets on its network ● sys_chroot allows your processes to chroot into a different rootfs ● mknod allows your processes to create device nodes ● audit_write you can write a message to kernel auditing log ● set_fcap allows you to set file capabilities on a file system Default capabilities available for privileged processes in a Docker Container Do really think containers need these default capabilities in production ?? A good strategy is to drop all capabilities and just add the needed ones back.. Example # docker run -d --cap-add SYS_TIME ntpd
  • 19. Secure Computing Mode - Seccomp Filters system calls from a container to the kernel. Uses Berkeley Packet Filter (BPF) system Children to a container process will inherit the BPF filter Provides more fine-grained control than capabilities, giving an attacker a limited number of syscalls from the container Restricted and allowed calls are arranged in profiles, pass different profiles to different containers Specify your own policy # podman run --security-opt seccomp=/path/to/custom/profile.json <container>
  • 20. 20 Read Only Mounts Linux kernel file systems have to be mounted in a container environment or processes would fail to run Fortunately, most of these file systems can be mounted as "read-only" on RHEL. /sys /proc/sys /proc/sysrg-trigger /proc/irq /proc/bus OpenShift also blocks the ability of the privileged container processes from re-mounting the file systems as read/write
  • 22. ● Red Hat Container Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP 22 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Trusting Container Content
  • 23. Trusted containers from known sources that provide certified and supported images. Example Red Hat provides Trusted Container Images (registry.redhat.io) as part of OpenShift Service Catalog. Publish fixes to the content in this registry and notify you. Languages: PHP, Python, Ruby, Perl, Node.js, Java, .Net Core Enterprise Grade JBoss Middleware: EWS, EAP, BPM, BRMS, RH SSO, Data Grid, DataVirt, 3Scale Databases: MySQL, Mongo, PostgreSQL, Maria CICD: Jenkins Partners Images: Container Certification by Red Hat. Trusted Container Content
  • 25. Container Image Provenance ● Did the image come from a trusted source? ● Are you verifying image signatures? ● Are you signing container images? $ podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar Example: Image signing with Podman
  • 26. Private Registries Enterprise security policies may not allow your Container Images to be pushed to a registry outside. Or what if public registry (like DockerHub) is down? Caching images in Private Registry - Red Hat’s Quay - JFrog Artifactory - Docker Trusted Registry
  • 27. 27 Restrict Registry Sources $ oc edit images.config.openshift.io cluster spec: registrySources: blockedRegistries: - docker.io Example: Restricting Container Registries in OpenShift ● Restrict pulling images from specific registries of your choice
  • 28. Container Image Management Responsibilities Operations/ Infrastructure admin - Maintain Trusted OS Base Images (RHEL, RHEL-Atomic) - Ensure these are good with Linux Kernel Middleware Engineers/Architects - Maintain Middleware Images - Control build process - S2I, CICD - Reference Architectures with Trusted middleware Development teams - Write code that layers on approved images - Ensure code is clean, open source software vulnerabilities are handled
  • 30. Container Scanning Frequency Scan containers as soon as they are created Scan containers that get into enterprise registry Ongoing basis- Identify any new vulnerabilities
  • 31. 31 Scanning Containers at Creation https://www.youtube.com/watch?v=65BnTLcDAJI Run image scan at this point
  • 32. Scanning Tools on an Ongoing basis Claire scanner with Red Hat’s Quay BlackDuck JFrog XRay Twistlock Sysdig
  • 33. Additional Container Platform Security Features
  • 34. API Authentication • OAuth Access Token – Obtained from OAuth server using endpoints – Sent as • X.509 Client Certs – HTTPS connection – API Server verifies against a trusted cert authority bundle – API Server creates and distributes certs to Controllers to authenticate themselves • Request with invalid token or cert gets a 401 • No cert or token gets system:anonymous user and system: unauthenticated virtual group <master>/oauth/authorize <master>/oauth/token Authorization: Bearer access_token=…
  • 35. Authentication OAuth Client OAuth Server Master Client Types: openshift-web-console openshift-browser-client openshift-challenging-client Identity Provider 1. Authentication Request 2. Determine Identity 3. Access token Configured Identity Providers: - LDAP - GitHub - GitLab - Google - OpenID Connect - HTPasswd - Keystone Authentication Requests: <master>/oauth/authorize WWW-authenticate <master>/oauth/token/request
  • 36. Authorization RoleBinding associates Users/Groups with Roles - Cluster RoleBindings - Project RoleBindings In Kubernetes, containers in pods run with the role assigned to a special user called Service Account
  • 37. 37 Container Deployment Permissions with Pod Security Policies (PSP) or with SCC
  • 38. 38 Secured Communications between Hosts Secures cluster communications with IPsec ● Encryption between all Master and Node hosts (L3) ● Uses OpenShift CA and existing certificates ● Simple setup via policy defn ○ Groups (e.g. subnets) ○ Individual hosts Master P1 Nodes P2 172.16.0.0/16
  • 39. Microsegmentation with Network Policy Objects ● Lock everything by default ● Add Network Policies to allow specific ingress traffic
  • 40. 40 Secure storage by using ● SELinux access controls ● Secure mounts ● Supplemental group IDs for shared storage Securing Storage attached to Containers
  • 41. 41 Isolate Workloads by labeling Nodes Node 1 east Node 2 east Node 1 west Node 2 west Master / Scheduler $ oadm new-project myproject --node-selector='type=user-node,region=east' pod pod
  • 43. Single-Sign On Client-Side Web App Mobile App KeyCloak Service 1 Service 2 User 1 Auth Token Token Token Service 3 Token ● Open source access & identity manager ● Supports OIDC (OAuth) and SAML ● Identity Brokering ● Identity Federation with LDAP directory services ● Client libraries for JavaEE, Spring, Node.js, & more ● Event auditing ● Based on upstream Keycloak project KeyCloak
  • 44. 44 Container platform & application APIs ● Authentication and authorization ● LDAP integration ● End-point access controls ● Rate limiting API Management
  • 45. SSL at Ingress My App https://myapp.mydomain.com Router My AppMy App Edge termination My App https://myapp.mydomain.com Router My App My App Passthrough termination My App https://myapp.mydomain.com Router My AppMy App Reencrypt
  • 46. Secrets Sensitive Info: Passwords, Client Config files, dockercfg etc used by application containers provided as secrets Never come to rest on Nodes Stored in etcd and encrypted kubernetesMasterConfig: apiServerArguments: experimental-encryption-provider-config: - /path/to/encryption.config
  • 47. 47 Calling External Services using Egress Router The OpenShift egress router runs a service that redirects egress pod traffic to one or more specified remote servers, using a pre-defined source IP address that can be whitelisted on the remote server. NODE IP1 EGRESS ROUTER POD IP1 EGRESS SERVICE INTERNAL-IP:8080 EXTERNAL SERVICE Whitelist: IP1 POD POD POD ... - name: EGRESS_DESTINATION value: | 80 tcp 1.2.3.4 8080 tcp 5.6.7.8 80 8443 tcp 9.10.11.12 443 13.14.15.16 ...
  • 49. Istio Concepts - Sidecar Proxy 49 SideCar Proxy - Intercepts all network communication between microservices - Encapsulates Service Infrastructure code - Application code (business logic) unaware of Sidecar proxy - Examples - Linkerd, Envoy
  • 50. Istio Concepts - Service Mesh 50 Network of Microservices Service Mesh is a dedicated infrastructure layer to handle service-service communications Typically implemented as an array of lightweight network proxies deployed alongside application code Interconnected Proxies form a mesh network
  • 51. Istio Service Mesh on OpenShift Connect, Manage, and Secure Microservices, transparently ● Intelligent Routing ● Load Balancing ● Service Resilience ● Telemetry and Reporting ● Policy Enforcement ● Content based Filtering (Layer 7) ● mTLS between services ● East-West traffic control
  • 52. Application Traffic Encryption with Istio Auth Uses Service Account as Identity. SPIFFE Id format spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> Mutual TLS between sidecars Istio CA - Generate cert pair and SPIFFE key for each SA - Distribute key and cert pairs - Rotate keys and certs periodically - Revoke key and cert when need
  • 53. API Management SSL Secrets Connecting to external services Summary: Application Security
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62. 62 SELINUX - MAC - MCS - Process system_u:system_r:container_runtime_t:s0 SElinux Policy module for the container The OOTB SElinux policy container.te defines what you can execute and access with the label container_runtime_t [root@osemaster ~]# ps -efZ | grep docker-containerd-shim-current system_u:system_r:container_runtime_t:s0 root 3035 1479 0 Feb15 ? 00:00:01 /usr/bin/docker-containerd-shim-current 4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /var/run/docker/libcontainerd/4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /usr/libexec/docker/docker-runc-current
  • 63. 63 SELINUX - MAC - MCS - Files container_var_lib_t / svirt_sandbox_file_t SElinux Policy module for the container [root@osemaster ~]# ls -lZ /var/lib/docker/containers/97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737 / -rw-r-----. root root system_u:object_r:container_var_lib_t:s0 97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737-json.log -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 config.v2.json -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 hostconfig.json -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 hostname -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 hosts -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 resolv.conf -rw-r--r--. root root system_u:object_r:container_var_lib_t:s0 resolv.conf.hash drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 secrets drwx------. root root system_u:object_r:container_var_lib_t:s0 shm