Docker Security

"Containers are not a thing"
Jessie Frazelle

namespaces

Lets do a magic trick

Do you want another?

nmap

FAIL

capabilities

Magic tools

SELinux

kernel security modifications

created by NSA & RedHat

provides Mandatory Access Control

blocks file and network access

based on contexts and labels

seccomp

denies system calls to processes

active by default in Docker

based on attached profiles

developed by Google

some calls are not namespaced

seccomp policy

{ 
   "defaultAction":"SCMP_ACT_KILL",
   "syscalls":[  
      {  
         "name":"chmod",
         "action":"SCMP_ACT_ERRNO"
      }
   ]
}

Kubernetes

Quick recap

namespace

cluster role

role binding / cluster role binding

role

service account

Pod security policies

created by RedHat

donated to kubernetes.io

enforced by admission controllers

integrated with RBAC

formerly security context constraints

what can they do?

run privileged containers

use host directories as volumes

configure SELinux and seccomp

set the user ID and groups

run containers with only some capabilities

controlling access to storage classes

setting the container filesystem as :ro

Pod security policies

big demo

security vs convenience

@ciberado

Made with Slides.com