![Page 1: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/1.jpg)
SECURE MY SOCKSExploring Microservice Security in an Open Source Sock Shop
Winder Research
WinderResearch.com
![Page 2: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/2.jpg)
Visit http://WinderResearch.com@DrPhilWinder
Phil Winder
Winder ResearchDATA SCIENCE CLOUD NATIVE
![Page 3: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/3.jpg)
![Page 4: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/4.jpg)
1.Context
Security, PCI, devops
![Page 5: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/5.jpg)
PCI Who has to concern themselves with PCI
compliance?
![Page 6: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/6.jpg)
Trust?Assume trust, then audit like crazy
PCI Compliance Tactics (Dev)
Don’t Trust????
![Page 7: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/7.jpg)
Top TipLimit the surface area
![Page 8: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/8.jpg)
Limiting the surface area
Large surface area Small surface area
![Page 9: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/9.jpg)
“PCI compliance does not mean
your application is secure
![Page 10: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/10.jpg)
FunniesWhy is docker swearing at me? (self.docker)submitted 9 days ago * by Rkozak
I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped
my password.
PS D:\> docker loginLogin with your Docker ID to push and pull images from Docker Hub. If you don't have a Docker ID, head over to https://hub.docker.com to create one.Username (robertkozak):Password:Error response from daemon: Get https://registry-1.docker.io/v2/: unauthorized: incorrect username or password fuck you
FYI:the "fuck you" is not what I typed for password so it is not echoing back at me.
UPDATE: it is not happening anymore.
![Page 11: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/11.jpg)
SECURITY IS HARDFailure exploration is the beginning
Icon by http://www.flaticon.com/authors/dave-gandy
![Page 12: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/12.jpg)
One example Failure Exploration
Network segmentation and policy, Container security, Orchestrator SecurityApplication Security, External threatsBackup security, Organisational issues, Responsibility issues, ...
If you read this then you’ve read too far
![Page 13: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/13.jpg)
Today
○ Container security
○ Network segmentation and policy
![Page 14: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/14.jpg)
SOCK SHOPAn open source reference microservices
architectureIcon by http://www.flaticon.com/authors/freepik
![Page 15: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/15.jpg)
![Page 16: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/16.jpg)
git.io/sock-shopgithub.com/microservices-demo/microservices-demo
![Page 17: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/17.jpg)
2.Container Security
![Page 18: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/18.jpg)
Container-level security aspects
○ Restraint○ Immutability○ Provenance○ Hardened OS’s, modules and policies
![Page 19: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/19.jpg)
CONTAINER USERSo you haven’t set a USER?
Icon by http://www.flaticon.com/authors/elias-bikbulatov
![Page 20: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/20.jpg)
MD front-end DockerfileFROM mhart/alpine-node:6.3
RUN mkdir -p /usr/src/app
WORKDIR /usr/src/appCOPY . /usr/src/appRUN npm install
ENV NODE_ENV "production"ENV PORT 8079EXPOSE 8079
CMD ["npm", "start"]
![Page 21: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/21.jpg)
Let’s add some nasties
apk add sl \--update-cache \--repository http://dl-3.alpinelinux.org/alpine/edge/testing/ \--allow-untrust && \export TERM=xterm && \sl
![Page 22: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/22.jpg)
READ-ONLYSo you’re filesystem isn’t read only?
Icon by http://flaticons.net/
![Page 23: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/23.jpg)
MD front-end docker-composeservices: front-end: image: weaveworksdemos/front-end:9093ed8f9be68d2497bcb92587b01db6ac8197fe hostname: front-end restart: always
![Page 24: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/24.jpg)
Let’s add some nasties
echo "<h1>Phil, you’re such a good presenter. Everyone is loving the talk. Even those at the back sleeping. They’re dreaming about you...</h1><img src=\"http://www.mememaker.net/static/images/memes/4395158.jpg\"/>" > public/index.html
![Page 25: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/25.jpg)
CapabilitiesKernel level operation permissions
Icon by http://freepik.com/
![Page 26: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/26.jpg)
![Page 27: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/27.jpg)
Where haz caps?
KernelContainer Orchestrator
![Page 28: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/28.jpg)
MD catalogue DockerfileFROM busybox:1
EXPOSE 80COPY app /
CMD ["/app", "-port=80"]
![Page 29: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/29.jpg)
MD catalogue DockerfileFROM busybox:1RUN addgroup mygroup && \
adduser -D -G mygroup myuser
USER myuser
EXPOSE 80COPY app /
CMD ["/app", "-port=80"]
![Page 30: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/30.jpg)
MD catalogue DockerfileFROM alpine:3.4
RUN addgroup mygroup && \adduser -D -G mygroup myuser && \apk add --update libcap
EXPOSE 80COPY app /
RUN chmod +x /app && \chown -R myuser:mygroup /app && \setcap 'cap_net_bind_service=+ep' /app
USER myuserCMD ["/app", "-port=80"]
![Page 31: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/31.jpg)
MD docker-composeservices:
catalogue:... cap_drop: - all cap_add: - NET_BIND_SERVICE read_only: true...
![Page 32: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/32.jpg)
MD kubernetes---... spec: containers: - name: catalogue ... securityContext: runAsNonRoot: true runAsUser: 10001 capabilities: drop: - all add: - NET_BIND_SERVICE readOnlyRootFilesystem: true
![Page 33: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/33.jpg)
The result?apk add sl \--update-cache \--repository http://dl-3.alpinelinux.org/alpine/edge/testing/ \--allow-untrust && \export TERM=xterm && \sl
echo "This won’t work" > public/index.html
grep Cap /proc/self/status
![Page 34: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/34.jpg)
Top TipUser, read-only, caps.
![Page 35: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/35.jpg)
11,788People taken to hospital following accidents while putting on socks, tights or stockings in
the UK, 2003
![Page 36: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/36.jpg)
3.Network Segmentation and Policy
![Page 37: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/37.jpg)
Image by Remember To Play
![Page 38: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/38.jpg)
![Page 39: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/39.jpg)
![Page 40: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/40.jpg)
Trump’s Firewall
Machine-level firew
all
![Page 41: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/41.jpg)
![Page 42: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/42.jpg)
Network Segmentation
External
Internal
Back-Office
![Page 43: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/43.jpg)
Shipping docker-compose
shipping: image: weaveworksdemos/shipping hostname: shipping ... networks: - backoffice
![Page 44: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/44.jpg)
![Page 45: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/45.jpg)
Network Segmentation
External
Internal
Back-Office
![Page 46: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/46.jpg)
Network Policy
![Page 47: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/47.jpg)
Shipping K8s Network Policy---apiVersion: extensions/v1beta1kind: NetworkPolicymetadata: name: shipping-access namespace: sock-shopspec: podSelector: matchLabels: name: shipping ingress: - from: - podSelector: matchLabels: name: orders ports: - protocol: TCP port: 80
![Page 48: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/48.jpg)
Top TipYou need a software defined network
![Page 49: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/49.jpg)
4.Wrap up
![Page 50: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/50.jpg)
Let’s review some concepts
UserSet a user in your Dockerfiles so they don’t run as root
ImmutableMake the root container file system read only
RestraintPrevent unauthorised execution
Network SegmentationPrevent inter-network access
Global firewallBlock everything, minimise the surface area
Network PolicyBe a bouncer, tell your containers who’s allowed access
![Page 51: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/51.jpg)
WHERE?
git.io/sock-shopgithub.com/microservices-demo/microservices-demo
Go, try, star, contribute
Place your screenshot
here
![Page 52: Winder Research SECURE MY SOCKS · (self.docker) submitted 9 days ago * by Rkozak I was logging into Docker hub from my Docker For Windows: Version 1.12.3-beta29.2 (8280) when I mistyped](https://reader035.vdocument.in/reader035/viewer/2022071023/5fd7674b0e2e5901df2bf304/html5/thumbnails/52.jpg)
DONE!Any questions?Contact me at:@[email protected]://WinderResearch.com