Docker Security
"Containers are not a thing"
Jessie Frazelle
namespaces
Lets do a magic trick
Do you want another?
nmap
FAIL
capabilities
Magic tools
SELinux
kernel security modifications
created by NSA & RedHat
provides Mandatory Access Control
blocks file and network access
based on contexts and labels
seccomp
denies system calls to processes
active by default in Docker
based on attached profiles
developed by Google
some calls are not namespaced
seccomp policy
{
"defaultAction":"SCMP_ACT_KILL",
"syscalls":[
{
"name":"chmod",
"action":"SCMP_ACT_ERRNO"
}
]
}
Kubernetes
Quick recap
namespace
cluster role
role binding / cluster role binding
role
service account
Pod security policies
created by RedHat
donated to kubernetes.io
enforced by admission controllers
integrated with RBAC
formerly security context constraints
what can they do?
run privileged containers
use host directories as volumes
configure SELinux and seccomp
set the user ID and groups
run containers with only some capabilities
controlling access to storage classes
setting the container filesystem as :ro
Pod security policies
big demo
security vs convenience
@ciberado
k8s-security
By Javier Moreno
k8s-security
- 484