ten layers of container security - red hat · features of red hat enterprise linux.. a stable,...
TRANSCRIPT
![Page 1: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/1.jpg)
TEN LAYERS OF CONTAINER SECURITY
Tim HuntKirsten Newcomer
May 2017
![Page 2: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/2.jpg)
2
ABOUT YOU
Are you using containers?
What’s your role?
● Security professionals● Developers / Architects● Infrastructure / Ops
Who considers security part of their job?
![Page 3: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/3.jpg)
3
VALUE OF CONTAINERS
● Sandboxed application processes on a shared Linux OS kernel
● Simpler, lighter, and denser than virtual machines
● Portable across different environments
● Package my application and all of its dependencies
● Deploy to any environment in seconds and enable CI/CD
● Easily access and share containerized components
INFRASTRUCTURE APPLICATIONS
![Page 4: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/4.jpg)
4
WHY ARE WE HAVING THIS CONVERSATION?
![Page 5: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/5.jpg)
5
6. Container Platform 7. Network Isolation8. Storage9. API Management
10. Federated Clusters
1. Container Host & Multi-tenancy
2. Container Content3. Container Registries4. Building Containers5. Deploying Containers
SECURING CONTAINERS: THE TOP TEN LIST
![Page 6: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/6.jpg)
RED HAT ENTERPRISE LINUX ATOMIC HOST
Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux..
A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel.
6
CONTAINER HOST & MULTI-TENANCY THE OS MATTERS
SELinux
1
Kernel namespaces Cgroups Seccomp
RED HAT ENTERPRISE LINUX
THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS
SECURITY FEATURES ON BY DEFAULT IN OPENSHIFT
Capabilities
![Page 7: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/7.jpg)
7
● Are there known vulnerabilities in the application layer?
● Are the runtime and OS layers up to date?
● How frequently will the container be updated and how will I know when it’s updated?
CONTENT: USE TRUSTED SOURCES2
Red Hat rebuilds container images when security fixes are released
![Page 8: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/8.jpg)
8
Consider breadth and diversity of your software content
CONTENT: USE TRUSTED SOURCES 2
Standardization makes security & ops work easier
Developers want latest & greatest for best features
![Page 9: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/9.jpg)
● Red Hat Container Registry
● Policies to control who can deploy which containers
● Certification Catalog
● Trusted content with security updates
HOST OS
CONTAINER
OS
RUNTIME
APP
HOST OS
CONTAINER
OS
RUNTIME
APP
9
Image governance & private registries
● Are there access controls on the registry? How strong are they?
● What security meta-data is available for your images?
● How is the data kept up-to-date?
PRIVATE REGISTRIES: SECURE ACCESS TO IMAGES
3
![Page 10: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/10.jpg)
10
Security & continuous integration
● Layered packaging model supports separation of concerns
● Integrate security testing into your build / CI process
● Use automated policies to flag builds with issues
● Ensure builds always use the latest base image
● Trigger automated CI process
MANAGING CONTAINER BUILDS
Operations Architects Application developers
4
![Page 11: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/11.jpg)
11
Security & continuous deployment
● Monitor image registry to automatically replace affected images
● Use policies to gate what can be deployed: e.g. if a container requires root access, prevent deployment
● Monitor application health & behavior
MANAGING CONTAINER DEPLOYMENT5
![Page 12: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/12.jpg)
12
CONTAINER ORCHESTRATION & SECURITY6
NETWORKING SECURITYSTORAGE REGISTRYLOGS &
METRICS
CONTAINER ORCHESTRATION & CLUSTER MANAGEMENT(KUBERNETES)
INFRASTRUCTURE AUTOMATION & COCKPIT
![Page 13: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/13.jpg)
13
CONTAINER ORCHESTRATION & SECURITY6
SECURITYLOGS &
METRICS
RBACPAMSecrets
ManagementCertificate
ManagementAuditing
Monitoring
Enhanced in 3.5Enhancements targeted for 3.6
Integration with external logging systems in 3.4
+ All access to master over TLS / API server is X.509 certificate or token based
![Page 14: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/14.jpg)
14
● Segment traffic to isolate users, teams, applications within a single cluster
● Manage egress traffic to meet existing firewall policies
● Tech-preview network policy plug-in allows isolation policies to be configured for individual pods
CONTAINER MULTITENANCY & NETWORK DEFENSE7
![Page 15: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/15.jpg)
15
Secure storage by using
● SELinux access controls● Secure mounts● Supplemental group IDs for
shared storage
ATTACHED STORAGE8
![Page 16: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/16.jpg)
16
Container platform & application APIs
● Authentication and authorization● LDAP integration● End-point access controls● Rate limiting
API MANAGEMENT9
![Page 17: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/17.jpg)
17
Securing federated clusters across data centers or environments
● Authentication and authorization
● API endpoints● Secrets● Namespaces
FUTURE: FEDERATED CLUSTERSROLES & ACCESS MANAGEMENT
Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016
10
![Page 18: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/18.jpg)
18
BRINGING IT ALL TOGETHER
Container
BusinessAutomation
Container
Integration
Container
Data &Storage
Contaner
Web &Mobile
OpenShift Application Lifecycle Management(CI/CD)
Build Automation Deployment Automation
Service Catalog(Language Runtimes, Middleware, Databases)
Self-Service
Infrastructure Automation & Cockpit
Networking Storage Registry Logs & Metrics
Security
Container Orchestration & Cluster Management(kubernetes)
Container Runtime & Packaging(Docker)
Enterprise Container Host
Red Hat Enterprise LinuxAtomic Host
Physical
Virtual
Private cloud
Public cloud
![Page 19: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/19.jpg)
19
Ten Layers of Container Security
READ THE WHITEPAPER
![Page 20: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/20.jpg)
THANK YOUplus.google.com/+RedHat
linkedin.com/company/red-hat
youtube.com/user/RedHatVideos
facebook.com/redhatinc
twitter.com/RedHatNews
![Page 21: TEN LAYERS OF CONTAINER SECURITY - Red Hat · features of Red Hat Enterprise Linux.. A stable, reliable host environment with built-in security features that allow you to isolate](https://reader035.vdocument.in/reader035/viewer/2022062402/5ec00fba330a6359db2e8c65/html5/thumbnails/21.jpg)