PodCTL - Enterprise Kubernetes

Security: Hosts, Registries, Content and Pipelines

November 06, 2017 Brian Gracely & Tyler Britten

Chapters

PodCTL - Enterprise Kubernetes

Nov 06, 2017

Brian Gracely & Tyler Britten

Show: 14

Show Overview: Brian and Tyler talk address some of the many layers of security required in a container environment. This show will be part of a series on container and Kubernetes security. They look at security requirement in the Container Host, Container Content, Container Registry, and Software Build Processes.

Show Notes and News:

Topic 1 - Let’s start at the bottom of the stack with the security needed on a container host.

Linux namespaces - isolation
Linux capabilities and SECCOMP - restrict routes, ports, limiting process calls
SELinux (or AppArmor) - mandatory access controls
cGroups - resource management

Topic 2 - Next in the stack, or outside the stack, is the sources of container content.

Trusted sources (known registries vs. public registries (e.g. DockerHub)
Scanning the content of containers
Managing the versions, patches of container content

Topic 3 - Once we have the content (applications), we need a secure place to store and access it - container registries.

Making a registry highly-available
Who manages and audits the registry?
How to scan container within a container?
How to cryptographically sign images?
Identifying known registries
Process for managing the content in a registry (tagging, versioning/naming, etc)
Automated policies (patch management, getting new content, etc.)

Topic 4 - Once we have secure content (building blocks) and a secure place to store the container images, we need to think about a secure supply chain of the software - the build process.

Does a platform require containers, or can it accept code? Can it manage secure builds?
How to build automated triggers for builds? How to audit those triggers (webhooks, etc.)?
How to validate / scan / test code at different stages of a pipeline? (static analysis, dynamic analysis, etc.)
How to promote images to a platform? (automated, manual promotion, etc.)

Feedback?

Share Episode

Share on Twitter Share on LinkedIn Download

Apple Podcasts Spotify

Listen on

Apple Podcasts Spotify

Share Episode

Share on Twitter Share on LinkedIn

Topic 1 - Let’s start at the bottom of the stack with the security needed on a container host.

Linux namespaces - isolation
Linux capabilities and SECCOMP - restrict routes, ports, limiting process calls
SELinux (or AppArmor) - mandatory access controls
cGroups - resource management

Topic 2 - Next in the stack, or outside the stack, is the sources of container content.

Trusted sources (known registries vs. public registries (e.g. DockerHub)
Scanning the content of containers
Managing the versions, patches of container content

Topic 3 - Once we have the content (applications), we need a secure place to store and access it - container registries.

Making a registry highly-available
Who manages and audits the registry?
How to scan container within a container?
How to cryptographically sign images?
Identifying known registries
Process for managing the content in a registry (tagging, versioning/naming, etc)
Automated policies (patch management, getting new content, etc.)

Topic 4 - Once we have secure content (building blocks) and a secure place to store the container images, we need to think about a secure supply chain of the software - the build process.

Does a platform require containers, or can it accept code? Can it manage secure builds?
How to build automated triggers for builds? How to audit those triggers (webhooks, etc.)?
How to validate / scan / test code at different stages of a pipeline? (static analysis, dynamic analysis, etc.)
How to promote images to a platform? (automated, manual promotion, etc.)

Feedback?

PodCTL - Enterprise Kubernetes

Security: Hosts, Registries, Content and Pipelines

Listen to this podcast on