Leveraging the Serverless Architecture for Securing Linux Containers

Similar documents
Kubernetes Integration Guide

Containers, Serverless and Functions in a nutshell. Eugene Fedorenko

ForeScout Extended Module for Symantec Endpoint Protection

CONTAINERS AND MICROSERVICES WITH CONTRAIL

The Art of Container Monitoring. Derek Chen

TEN LAYERS OF CONTAINER SECURITY

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Infoblox IPAM Driver for Kubernetes User's Guide

Infoblox IPAM Driver for Kubernetes. Page 1

Run containerized applications from pre-existing images stored in a centralized registry

/ Cloud Computing. Recitation 5 September 26 th, 2017

How Container Runtimes matter in Kubernetes?

Red Hat Roadmap for Containers and DevOps

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

The Long Road from Capistrano to Kubernetes

Growth of Docker hub pulls

Important DevOps Technologies (3+2+3days) for Deployment

Harbor Registry. VMware VMware Inc. All rights reserved.

SBB. Java User Group 27.9 & Tobias Denzler, Philipp Oser

/ Cloud Computing. Recitation 5 February 14th, 2017

gcp / gke / k8s microservices

MQ High Availability and Disaster Recovery Implementation scenarios

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Securing the Modern Data Center with Trend Micro Deep Security

Containers Infrastructure for Advanced Management. Federico Simoncelli Associate Manager, Red Hat October 2016

Defining Security for an AWS EKS deployment

AWS Integration Guide

SentinelOne Technical Brief

Building A Better Test Platform:

ASP.NET Core & Docker

Kuber-what?! Learn about Kubernetes

Pontoon An Enterprise grade serverless framework using Kubernetes Kumar Gaurav, Director R&D, VMware Mageshwaran R, Staff Engineer R&D, VMware

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

SentinelOne Technical Brief

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

An Introduction to Kubernetes

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

Exam : Implementing Microsoft Azure Infrastructure Solutions

Setting up Kubernetes with Day 2 in Mind. Angela Chin, Senior Software Engineer, Pivotal Urvashi Reddy, Senior Software Engineer, Pivotal

Developing Microsoft Azure Solutions (70-532) Syllabus

RECap: RunEscape Capsule for On-demand Managed Service Delivery in the Cloud

Running MarkLogic in Containers (Both Docker and Kubernetes)

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

IBM Bluemix compute capabilities IBM Corporation

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

Hacking and Hardening Kubernetes

Red Hat Atomic Details Dockah, Dockah, Dockah! Containerization as a shift of paradigm for the GNU/Linux OS

Developing Microsoft Azure Solutions (70-532) Syllabus

Kubernetes 101. Doug Davis, STSM September, 2017

Cloud I - Introduction

LAB EXERCISE: RedHat OpenShift with Contrail 5.0

Disclaimer This presentation may contain product features that are currently under development. This overview of new technology represents no commitme

Wolfram Richter Red Hat. OpenShift Container Netzwerk aus Sicht der Workload

VMWARE PIVOTAL CONTAINER SERVICE

SQL Server on Linux and Containers

McAfee Endpoint Security

Symantec Endpoint Protection Family Feature Comparison

UP! TO DOCKER PAAS. Ming

Developing Kubernetes Services

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

Building Microservices with the 12 Factor App Pattern

TEN LAYERS OF CONTAINER SECURITY

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

DevOps Anti-Patterns. Have the Ops team deal with it. Time to fire the Ops team! Let s hire a DevOps unit! COPYRIGHT 2019 MANICODE SECURITY

Designing MQ deployments for the cloud generation

Qualys Cloud Platform

Automating Security Practices for the DevOps Revolution

Container Deployment and Security Best Practices

Kubernetes introduction. Container orchestration

Building an on premise Kubernetes cluster DANNY TURNER

VMWARE ENTERPRISE PKS

Microservice Bus Tutorial. Huabing Zhao, PTL of MSB Project, ZTE

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

Kubernetes. An open platform for container orchestration. Johannes M. Scheuermann. Karlsruhe,

RED HAT QUAY. As part of OCP Architecture Workshop. Technical Deck

Think Small to Scale Big

Kubernetes: Twelve KeyFeatures

Overview of Container Management

70-532: Developing Microsoft Azure Solutions

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Investigating Containers for Future Services and User Application Support

Contrail Networking: Evolve your cloud with Containers

Code: Slides:

Red Hat CloudForms 4.6

StreamSets Control Hub Installation Guide

agenda PAE Docker Docker PAE

Deep Insights: High Availability VMs via a Simple Host-to-Guest Interface OpenStack Masakari Greg Waines (Wind River Systems)

Infoblox Kubernetes1.0.0 IPAM Plugin

Multi-Arch Layered Image Build System

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Implementing SaaS on Kubernetes

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

DevOps Technologies. for Deployment

Table of Contents DevOps Administrators

Kubernetes. Introduction

Question: 2 Kubernetes changed the name of cluster members to "Nodes." What were they called before that? Choose the correct answer:

Securing Microservices Containerized Security in AWS

CNA1699BU Running Docker on your Existing Infrastructure with vsphere Integrated Containers Martijn Baecke Patrick Daigle VMworld 2017 Content: Not fo

Kubernetes Love at first sight?

Transcription:

Leveraging the Serverless Architecture for Securing Linux Containers Nilton Bila, Paolo Dettori, Ali Kanso, Yuji Watanabe*, Alaa Youssef IBM T.J. Watson Research Center New York *IBM Research - Tokyo, IBM Japan Ltd. Ali Kanso, PhD Senior CloudSW Engineer IBM T.J. Watson, NY

Leveraging the Serverless Architecture for Securing Linux Containers

Shipping Code Binary exe elf Packaged JAR WAR Gem Containerized Images (dockerfiles) But Container images can have vulnerabilities baked in them!

Software Vulnerabilities Package Vulnerability E.g.: Ghost Vulnerability in glibc library < 2.18 (2000à2013) Configuration Vulnerability E.g.: OpenSSH installed & #PasswordAuthentication yes #PermitEmptyPasswords Yes (or even no) Malware Signature E.g.: - Viruses - Worms - SpyWares - Trojan Horses

Scanning for Vulnerabilities ü Scan images and deployed containers ü Vulnerabilities in installed software packages ü Security configuration checks ü Malware signature detection IBM Vulnerability Advisor DockerSecurity Scanning

Clustering Containers Clustering can be overwhelming Kubernetes can help

What is Kubernetes? Applications Containerized Clustered ü Scheduling ü Monitoring ü Recovery management ü Auto-scaling ü Authorization/Authentica tion Master Node Kubernetes master ü Monitoring ü Reporting ü Executing master s recommendations Worker Node (Minion) Containerized apps Containerized apps Containerized apps Kubernetes agent

Kubernetes Resource Organization Example pod description kind: Pod metadata: name: mypod spec: containers: - name: sleep-forever image: pause:0.8.0 resources: limits: memory: 1000Mi

K8s APIs Core Group monolithic v1 API Extensions Group REST path /api/v1 ü Pods ü Services ü Replication controllers ü Resource quotas ü Nodes ü Endpoints ü REST path /apis/extensions/$version ü Deployments ü HorizontalPodAutoscalers ü Ingress ü Jobs ü DaemonSets ü Third party resources ü

K8s Operators K8s API Third party resources Operators <<Leverage>> <<Extend>>

K8s Third Party Resource (TPR) http://192.168.0.15:8080/apis/myorg.com/v1/namespaces/default/securityactions/quarantine <<CRUD operations>> K8s Master (API server) API path Ø TPR Ø Securityactions Ø quarantine Resource instance: reflecting the desired state Security action, to quarantine or delete container <<Watch & react>> Third-Party Software (executable) Controller: bridging the actual state with the desired state

Kubernetes Limitation K8s does not implement the needed range of actions to contain a threat Limited to: Kill pod, Rolling-Upgrade (involves killing) We need to have severity-based actions! Package Vulnerability Quarantine until patched Configuration Vulnerability Gracefully shutdown and preserve state for future investigation Malware Signature Immediate kill

Introducing the Security Enforcement Operator Kubernetes master Kubernetes Worker K8s API-server Docker OS Docker Pods Pods SEO OS Net-plugin ü Quarantine/Unqarantine ü Pause/unpause ü Stop/start ü Fast-delete ü Graceful-delete Based on scanning results

Vulnerability Scanner ingest threat data periodically Thread Intelligence K8s Image Workers Registries scan images Registry Monitor VS-agent image configuration information Vulnerability Scanner security configuration checks package vulnerability detection Notification + summary of vulnerability findings? malware signature detection K8s Worker K8s Workers Nodes Pods Pods scan deployed containers VS-agent container configuration information (Report from Vulnerability Advisor)

VS Report Example Identify specific software package versions in the container with disclosed vulnerabilities Identify specific issues with the container configurations

Leveraging the Serverless Architecture for Securing Linux Containers

Introducing OpenWhisk Add/Remove/Modify Action based policies? Policies Policies OpenWhisk CRUD operations K8s K8s API API server server VS K8s K8s Workers Workers Pods Pods SEO VS-agent

Why OpenWhisk? OpenWhisk is the Glue between VS and K8s, it enables: Different policies for different users Multiple Clusters register to the same OpenWhisk deployment Central point of policy management across clusters Action based policies

Report API and Notifications on Vulnerability Scanner Supports scans for multiple registered Kubernetes clusters. Provide RESTful APIs for access to Vulnerability reports for each container Use authentication token to restrict access to cluster data at the granularity of Kubernetes namespaces. Notify events with new vulnerability findings to registered OpenWhisk API endpoints. Trigger action invocations to the OpenWhisk API endpoints registered for the Kubernetes cluster.

Notifications User creates action with known URL endpoint: https://openwhisk.ng.bluemix.net/api/v1/web/<user>/policy Vulnerability Scanner posts vulnerability notification to policy endpoint { clusterid : xyz, podid : nginx- 3382653011-3p4p0, vulnerability_type : package, vulnerability_status : vulnerable } Per User Policy!

Serverless Policy import vs import kubernetes User1: marketing def main(params): findings = vs.get_findings(pod_id, timestamp) vulnerable_packages = findings['vulnerable_packages'] insecure_configs = findings['insecure_configurations'] if len(vulnerable_packages) > 0: kubernetes.snapshot(pod_id) kubernetes.terminate_graceful(pod_id) return {'text': 'Deleted pod ' + pod_id } if 'remote_shell_installed' in insecure_configs: kubernetes.quarantine(pod_id) Terminate_faste(pod_id) return {'text': 'Quarantined pod ' + pod_id} Terminated pod return {'text': 'Container was not modified ' + pod_id} User2: accounting

Interaction Summary K8s VS OpenWhisk SEO Networking New Pod created Scanning triggered Vulnerability found Execute policy Quarantine Pod Quarantine Pod Quarantine container(s) Pod quarantined Container(s) quarantined Threat contained

Related Work Securing Containers Starlight implements a kernel module that intercepts local operations on each host and passes them to a local agent which in turn passes them to an event processor that analyzes the event and determines whether or not to alert the admin. Using Serverless in the Cloud Lambdefy framework to demonstrate the differing requirements between applications deployed to IaaS and applications deployed as a cloud event, and Media Management System for showing high scalability of image resizing tasks on Lambda. LiCShield generates AppArmor profiles by tracing the container engine (Docker daemon) during the build and the execution of the containers. Container Scanners OpenSCAP (Security Content Automation Protocol) searches for an appropriate fix element, resolves it, prepares the environment, and executes the fix script. Docker Security Scanning can scan images in private repositories to verify that they are free from known security vulnerabilities or exposures, and report the results of the scan for each image tag

That s it! Questions? OpenWhisk Leveraging the Serverless Architecture for Securing Linux Containers Vulnerability scanner Security Enforcement Operator Kubernetes

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback