2018-014- Container Security with Jay Beale

    Container security   Jay Beale  @inguardians , @jaybeale   Containers What the heck is a container? Linux distribution with a kernel Containers run on top of that, sharing the kernel, but not the filesystem Namespaces Mount Network Hostname PID IPC Users Somebody said we've had containers since before Docker Containers started in 2005, with OpenVZ Docker was 2013, Kubernetes 2014 Image Security CoreOS Clair for vuln scanning images Public repos vs private Don't keep the image running for so long? Don't run as root More Containment stuff Non-privileged containers Remap the users, so root in container isn't root outside Drop root capabilities Seccomp for kernel syscalls AppArmor or SELinux All of above is about Docker, what about Kubernetes Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements Network policy (egress firewalls) RBAC (define what users and service accounts can do what) Use namespaces per tenant and think hard about multi-tenancy Use the CIS guides for lockdown of K8S and the host Kube-bench Difference between containers and sandboxing   Roll your own -     Containers         Using public registries - leave you vulnerable         Use your own private repos for deploying containers   Reduce attack surface Reduce user access   Automation will allow more security to get baked in.   https://www.infoworld.com/article/3104030/security/5-keys-to-docker-container-security.html https://blog.blackducksoftware.com/8-takeaways-nist-application-container-security-guide https://www.vagrantup.com/downloads.html   https://www.vmware.com/products/thinapp.html   https://www.meetup.com/SEASec-East/events/249983387/ S3 buckets / Azure Blobs   https://docs.microsoft.com/en-us/azure/architecture/aws-professional/services   https://docs.aws.amazon.com/config/latest/developerguide/s3-bucket-policy.html   Join our #Slack Channel! Email us at [email protected] or DM us on Twitter @brakesec #Spotify: https://brakesec.com/spotifyBDS #RSS: https://brakesec.com/BrakesecRSS #Youtube Channel:  http://www.youtube.com/c/BDSPodcast #iTunes Store Link: https://brakesec.com/BDSiTunes #Google Play Store: https://brakesec.com/BDS-GooglePlay Our main site:  https://brakesec.com/bdswebsite #iHeartRadio App:  https://brakesec.com/iHeartBrakesec #SoundCloud: https://brakesec.com/SoundcloudBrakesec Comments, Questions, Feedback: [email protected] Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon https://brakesec.com/BDSPatreon #Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir #Player.FM : https://brakesec.com/BDS-PlayerFM #Stitcher Network: https://brakesec.com/BrakeSecStitcher #TuneIn Radio App: https://brakesec.com/TuneInBrakesec