"Containers are not a thing"
Lets do a magic trick
Do you want another?
kernel security modifications
created by NSA & RedHat
provides Mandatory Access Control
blocks file and network access
based on contexts and labels
denies system calls to processes
active by default in Docker
based on attached profiles
developed by Google
some calls are not namespaced
role binding / cluster role binding
created by RedHat
donated to kubernetes.io
enforced by admission controllers
integrated with RBAC
formerly security context constraints
what can they do?
run privileged containers
use host directories as volumes
configure SELinux and seccomp
set the user ID and groups
run containers with only some capabilities
controlling access to storage classes
setting the container filesystem as :ro
security vs convenience
We are a systems engineering company that boosts our clients’ businesses through the design, implementation & 24x7 engineering of highly efficient, scalable and reliable systems architectures.