"Containers are not a thing"
Jessie Frazelle
namespaces
Lets do a magic trick
Do you want another?
nmap
FAIL
kernel security modifications
created by NSA & RedHat
provides Mandatory Access Control
blocks file and network access
based on contexts and labels
denies system calls to processes
active by default in Docker
based on attached profiles
developed by Google
some calls are not namespaced
{
"defaultAction":"SCMP_ACT_KILL",
"syscalls":[
{
"name":"chmod",
"action":"SCMP_ACT_ERRNO"
}
]
}
namespace
cluster role
role binding / cluster role binding
role
service account
created by RedHat
donated to kubernetes.io
enforced by admission controllers
integrated with RBAC
formerly security context constraints
what can they do?
run privileged containers
use host directories as volumes
configure SELinux and seccomp
set the user ID and groups
run containers with only some capabilities
controlling access to storage classes
setting the container filesystem as :ro
security vs convenience
@ciberado