PodCTL - Enterprise Kubernetes

Security: Hosts, Registries, Content and Pipelines

November 06, 2017 Brian Gracely & Tyler Britten
PodCTL - Enterprise Kubernetes
Security: Hosts, Registries, Content and Pipelines
Chapters
PodCTL - Enterprise Kubernetes
Security: Hosts, Registries, Content and Pipelines
Nov 06, 2017
Brian Gracely & Tyler Britten

Show: 14

Show Overview: Brian and Tyler talk address some of the many layers of security required in a container environment. This show will be part of a series on container and Kubernetes security. They look at security requirement in the Container Host, Container Content, Container Registry, and Software Build Processes.
 
 Show Notes and News:

Topic 1 - Let’s start at the bottom of the stack with the security needed on a container host.

  • Linux namespaces - isolation 
  • Linux capabilities and SECCOMP - restrict routes, ports, limiting process calls 
  • SELinux (or AppArmor) - mandatory access controls 
  • cGroups - resource management

Topic 2 - Next in the stack, or outside the stack, is the sources of container content.

  • Trusted sources (known registries vs. public registries (e.g. DockerHub) 
  • Scanning the content of containers 
  • Managing the versions, patches of container content

Topic 3 - Once we have the content (applications), we need a secure place to store and access it - container registries.

  • Making a registry highly-available 
  • Who manages and audits the registry? 
  • How to scan container within a container? 
  • How to cryptographically sign images? 
  • Identifying known registries 
  • Process for managing the content in a registry (tagging, versioning/naming, etc) 
  • Automated policies (patch management, getting new content, etc.) 

Topic 4 - Once we have secure content (building blocks) and a secure place to store the container images, we need to think about a secure supply chain of the software - the build process.

  • Does a platform require containers, or can it accept code? Can it manage secure builds? 
  • How to build automated triggers for builds? How to audit those triggers (webhooks, etc.)? 
  • How to validate / scan / test code at different stages of a pipeline? (static analysis, dynamic analysis, etc.) 
  • How to promote images to a platform? (automated, manual promotion, etc.)

Feedback?

Show Notes

Show: 14

Show Overview: Brian and Tyler talk address some of the many layers of security required in a container environment. This show will be part of a series on container and Kubernetes security. They look at security requirement in the Container Host, Container Content, Container Registry, and Software Build Processes.
 
 Show Notes and News:

Topic 1 - Let’s start at the bottom of the stack with the security needed on a container host.

  • Linux namespaces - isolation 
  • Linux capabilities and SECCOMP - restrict routes, ports, limiting process calls 
  • SELinux (or AppArmor) - mandatory access controls 
  • cGroups - resource management

Topic 2 - Next in the stack, or outside the stack, is the sources of container content.

  • Trusted sources (known registries vs. public registries (e.g. DockerHub) 
  • Scanning the content of containers 
  • Managing the versions, patches of container content

Topic 3 - Once we have the content (applications), we need a secure place to store and access it - container registries.

  • Making a registry highly-available 
  • Who manages and audits the registry? 
  • How to scan container within a container? 
  • How to cryptographically sign images? 
  • Identifying known registries 
  • Process for managing the content in a registry (tagging, versioning/naming, etc) 
  • Automated policies (patch management, getting new content, etc.) 

Topic 4 - Once we have secure content (building blocks) and a secure place to store the container images, we need to think about a secure supply chain of the software - the build process.

  • Does a platform require containers, or can it accept code? Can it manage secure builds? 
  • How to build automated triggers for builds? How to audit those triggers (webhooks, etc.)? 
  • How to validate / scan / test code at different stages of a pipeline? (static analysis, dynamic analysis, etc.) 
  • How to promote images to a platform? (automated, manual promotion, etc.)

Feedback?