Security  Profile for Docker Container and Kubernetes Pod

  1. Use Case of Security Profile
  2. What is Seccomp
  3. How to Use SecComp
  4. Default Behavior of Seccomp
  5. Demo With SecComp
  6. Tips for Securing Docker Container

Agenda

  1. Restrict your application’s access

  2. Restrict Any Command in Docker Container

  3. Restrict system calls inside docker container

  4. Reduce the attack surface of containers.

Use Cases

Seccomp

  • Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container.
  • Seccomp is a sandboxing facility in the Linux kernel that acts like a firewall for system calls (syscalls).

 

How to use Seccomp?

Pass a profile for a container:

 

They're defined in a JSON file that is applied when a container starts

Demo

Default:
44 system calls are blocked by default for all Docker containers

6 tips for securing your Docker containers

  1.   Choose third-party containers carefully
  2.   Only Use Images from Trusted Sources
  3.   Set resource limits for your containers
  4.   Limit Direct Access to Kubernetes Nodes/Pod/Container
  5.   Use Docker Bench for Security
  6.   Seccomp

 

Made with Slides.com