Security: Hosts, Registries, Content and Pipelines

Show Notes

Show: 14

Show Overview: Brian and Tyler talk address some of the many layers of security required in a container environment. This show will be part of a series on container and Kubernetes security. They look at security requirement in the Container Host, Container Content, Container Registry, and Software Build Processes.
 
 Show Notes and News:

• 10 Layers of Container Security
• Google, VMware and Pivotal announced a Hybrid Cloud partnership with Kubernetes
• Google and Cisco announced a Hybrid Cloud partnership with Kubernetes (and more)
• Docker adds support for Kubernetes to DockerEE
• Rancher makes Kubernetes the primary orchestrator
• Microsoft announces new Azure Container Service, AKS
• Oracle announced Kubernetes on Oracle Linux (and some installers)
• Heptio announces new tools

Topic 1 - Let’s start at the bottom of the stack with the security needed on a container host.

• Linux namespaces - isolation 
• Linux capabilities and SECCOMP - restrict routes, ports, limiting process calls 
• SELinux (or AppArmor) - mandatory access controls 
• cGroups - resource management

Topic 2 - Next in the stack, or outside the stack, is the sources of container content.

• Trusted sources (known registries vs. public registries (e.g. DockerHub) 
• Scanning the content of containers 
• Managing the versions, patches of container content

Topic 3 - Once we have the content (applications), we need a secure place to store and access it - container registries.

• Making a registry highly-available 
• Who manages and audits the registry? 
• How to scan container within a container? 
• How to cryptographically sign images? 
• Identifying known registries 
• Process for managing the content in a registry (tagging, versioning/naming, etc) 
• Automated policies (patch management, getting new content, etc.) 

Topic 4 - Once we have secure content (building blocks) and a secure place to store the container images, we need to think about a secure supply chain of the software - the build process.

• Does a platform require containers, or can it accept code? Can it manage secure builds? 
• How to build automated triggers for builds? How to audit those triggers (webhooks, etc.)? 
• How to validate / scan / test code at different stages of a pipeline? (static analysis, dynamic analysis, etc.) 
• How to promote images to a platform? (automated, manual promotion, etc.)

Feedback?

• Email: PodCTL at gmail dot com
• Twitter: @PodCTL 
• Web: http://podctl.com