TEN LAYERS OF CONTAINER SECURITY

Similar documents
TEN LAYERS OF CONTAINER SECURITY

TEN LAYERS OF CONTAINER SECURITY. Kirsten Newcomer Security Strategist

Red Hat Roadmap for Containers and DevOps

Container Security. Daniel J Walsh Consulting Engineer Blog: danwalsh.livejournal.com

Container in Production : Openshift 구축사례로 이해하는 PaaS. Jongjin Lim Specialist Solution Architect, AppDev

What s New in Red Hat OpenShift Container Platform 3.4. Torben Jäger Red Hat Solution Architect

Red Hat OpenShift Roadmap Q4 CY16 and H1 CY17 Releases. Lutz Lange Solution

Container Deployment and Security Best Practices

CONTAINERS AND MICROSERVICES WITH CONTRAIL

Taming your heterogeneous cloud with Red Hat OpenShift Container Platform.

Red Hat CloudForms 4.6

Amir Zipory Senior Solutions Architect, Redhat Israel, Greece & Cyprus

Docker A FRAMEWORK FOR DATA INTENSIVE COMPUTING

Container Security. Marc Skinner Principal Solutions Architect

Identity Management and Compliance in OpenShift

Securing Containers on the High Seas. Jack OWASP Belgium September 2018

Backup strategies for Stateful Containers in OpenShift Using Gluster based Container-Native Storage

Security oriented OpenShift within regulated environments

Accelerate at DevOps Speed With Openshift v3. Alessandro Vozza & Samuel Terburg Red Hat

Go Faster: Containers, Platforms and the Path to Better Software Development (Including Live Demo)

Red Hat CloudForms 4.5

Cloud & container monitoring , Lars Michelsen Check_MK Conference #4

OpenShift 3 Technical Architecture. Clayton Coleman, Dan McPherson Lead Engineers

Linux Containers Roadmap Red Hat Enterprise Linux 7 RC. Bhavna Sarathy Senior Technology Product Manager, Red Hat

Red Hat CloudForms 4.6

ACCELERATE APPLICATION DELIVERY WITH OPENSHIFT. Siamak Sadeghianfar Sr Technical Marketing Manager, April 2016

AGILE RELIABILITY WITH RED HAT IN THE CLOUDS YOUR SOFTWARE LIFECYCLE SPEEDUP RECIPE. Lutz Lange - Senior Solution Architect Red Hat

Building Kubernetes cloud: real world deployment examples, challenges and approaches. Alena Prokharchyk, Rancher Labs

Kubernetes Integration Guide

ViryaOS RFC: Secure Containers for Embedded and IoT. A proposal for a new Xen Project sub-project

Multi-Arch Layered Image Build System

OpenShift Hyper-Converged Infrastructure Bare Metal Deployment with Containerized Gluster

Przyspiesz tworzenie aplikacji przy pomocy Openshift Container Platform. Jarosław Stakuń Senior Solution Architect/Red Hat CEE

S Implementing DevOps and Hybrid Cloud

Hacking and Hardening Kubernetes

OPENSTACK Building Block for Cloud. Ng Hwee Ming Principal Technologist (Telco) APAC Office of Technology

VMWARE PIVOTAL CONTAINER SERVICE

Red Hat Containers Roadmap. Red Hat A panel of product directors

Dan Williams Networking Services, Red Hat

OpenShift Dedicated 3 Release Notes

How Container Runtimes matter in Kubernetes?

RED HAT'S CONTAINER STRATEGY. Lars Herrmann General Manager, RHEL, RHEV and Containers June 24, 2015

WHITE PAPER. RedHat OpenShift Container Platform. Benefits: Abstract. 1.1 Introduction

VMWARE PKS. What is VMware PKS? VMware PKS Architecture DATASHEET

CoreOS and Red Hat. Reza Shafii Joe Fernandes Brandon Philips Clayton Coleman May 2018

OPENSHIFT FOR OPERATIONS. Jamie Cloud Guy - US Public Sector at Red Hat

Red Hat Container Strategy Ahmed El-Rayess

Securing Microservices Containerized Security in AWS

Convergence of VM and containers orchestration using KubeVirt. Chunfu Wen

RED HAT OPENSHIFT CONTAINER PLATFORM REFERENCE ARCHITECTURE FOR PCI DSS V3.2.1

A DEVOPS STATE OF MIND WITH DOCKER AND KUBERNETES. Chris Van Tuin Chief Technologist, West

Containers: Exploits, Surprises, And Security

Containers Infrastructure for Advanced Management. Federico Simoncelli Associate Manager, Red Hat October 2016

Security Practices in OpenShift

VMware Integrated OpenStack with Kubernetes Getting Started Guide. VMware Integrated OpenStack 4.0

Red Hat Cloud Suite 1.1

VMWARE ENTERPRISE PKS

Think Small to Scale Big

EASILY DEPLOY AND SCALE KUBERNETES WITH RANCHER

Authorized Source IP for OpenShift Project

Overview of Container Management

Kubernetes 101. Doug Davis, STSM September, 2017

RED HAT GLUSTER TECHSESSION CONTAINER NATIVE STORAGE OPENSHIFT + RHGS. MARCEL HERGAARDEN SR. SOLUTION ARCHITECT, RED HAT BENELUX April 2017

RED HAT OPENSHIFT A FOUNDATION FOR SUCCESSFUL DIGITAL TRANSFORMATION

Red Hat Quay 2.9 Deploy Red Hat Quay on OpenShift

Red Hat JBoss Middleware for OpenShift 3

OpenShift Roadmap Enterprise Kubernetes for Developers. Clayton Coleman, Architect, OpenShift

Table of Contents DevOps Administrators

Table of Contents 1.1. Introduction. Overview of vsphere Integrated Containers 1.2

Investigating Containers for Future Services and User Application Support

Learn. Connect. Explore.

OPENSHIFT 3.7 and beyond

개발자와운영자를위한 DevOps 플랫폼 OpenShift Container Platform. Hyunsoo Senior Solution Architect 07.Feb.2017

Container Management : First Looks

Table of Contents 1.1. Overview. Containers, Docker, Registries vsphere Integrated Containers Engine

A DEVOPS STATE OF MIND. Chris Van Tuin Chief Technologist, West

This document (including, without limitation, any product roadmap or statement of direction data) illustrates the planned testing, release and

Securing ArcGIS Services

I keep hearing about DevOps What is it?

Infrastructure Security 2.0

A Greybeard's Worst Nightmare

Creating a Reproducible Build System for Docker Images

MOBILIZING AND SECURING RED HAT JBOSS BPM SUITE & BRMS

You Have Stateful Apps - What if Kubernetes Would Also Run Your Storage?

Top Nine Kubernetes Settings You Should Check Right Now to Maximize Security

NGINX: From North/South to East/West

WHEN CONTAINERS AND VIRTUALIZATION DO - AND DON T - WORK TOGETHER

One year of Deploying Applications for Docker, CoreOS, Kubernetes and Co.

TRAINING AND CERTIFICATION UPDATE

Introduction to Container Technology. Patrick Ladd Technical Account Manager April 13, 2016

FISMA COMPLIANCE FOR CONTAINERIZED APPS

EVERYTHING AS CODE A Journey into IT Automation and Standardization. Raphaël Pinson

Kubernetes made easy with Docker EE. Patrick van der Bleek Sr. Solutions Engineer NEMEA

A10 HARMONY CONTROLLER

Secure Kubernetes Container Workloads

Docker Universal Control Plane Deploy and Manage On-Premises, Your Dockerized Distributed Applications

TECHNICAL BRIEF. Scheduling and Orchestration of Heterogeneous Docker-Based IT Landscapes. January 2017 Version 2.0 For Public Use

Introduction to Kubernetes

P a g e 1. Teknologisk Institut. Online kursus k SysAdmin & DevOps Collection

Cloud I - Introduction

Transcription:

TEN LAYERS OF CONTAINER SECURITY A Deeper Dive

2 WHAT ARE CONTAINERS? It depends on who you ask... INFRASTRUCTURE APPLICATIONS Sandboxed application processes on a shared Linux OS kernel Simpler, lighter, and denser than virtual machines Portable across different environments Package my application and all of its dependencies Deploy to any environment in seconds and enable CI/CD Easily access and share containerized components

3 SECURING CONTAINERS: LAYERS & LIFECYCLE 1. Container Host & Multi-tenancy 2. Container Content 3. Container Registries 4. Building Containers 5. Deploying Containers 6. Container Platform 7. Network Isolation 8. Storage 9. API Management 10. Federated Clusters

4 1 CONTAINER HOST & MULTI-TENANCY THE OS MATTERS RED HAT ENTERPRISE LINUX RED HAT ENTERPRISE LINUX ATOMIC HOST THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel. Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux.. SELinux Kernel namespaces Cgroups Seccomp R/O Mounts

5 1 Namespaces - Process Isolation Namespaces Mount UTC IPC PID Network

6 1 SELINUX - MAC - MCS SElinux is a LABELING system Every Process has a Label Every file, Directory, System object has a Label Policy rules control access between labeled processes and labeled objects The Kernel enforces the rules

7 1 SELINUX - MAC - MCS - Process system_u:system_r:container_runtime_t:s0 [root@osemaster ~]# ps -efz grep docker-containerd-shim-current system_u:system_r:container_runtime_t:s0 root 3035 1479 0 Feb15? 00:00:01 /usr/bin/docker-containerd-shim-current 4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /var/run/docker/libcontainerd/4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /usr/libexec/docker/docker-runc-current The OOTB SElinux policy container.te defines what you can execute and access with the label container_runtime_t SElinux Policy module for the container

8 1 SELINUX - MAC - MCS - Files container_var_lib_t / svirt_sandbox_file_t [root@osemaster ~]# ls -lz /var/lib/docker/containers/97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737 / -rw-r-----. root root system_u:object_r:container_var_lib_t:s0 97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737-json.log -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 config.v2.json -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 hostconfig.json -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 hostname -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 hosts -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 resolv.conf -rw-r--r--. root root system_u:object_r:container_var_lib_t:s0 resolv.conf.hash drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 secrets drwx------. root root system_u:object_r:container_var_lib_t:s0 shm SElinux Policy module for the container

9 1 SELINUX TO THE RESCUE On-entry container attack - CVE-2016-9962 On Red Hat systems with SELinux enabled, the dangers of even privileged containers are mitigated. SELinux prevents container processes from accessing host content even if those container processes manage to gain access to the actual file descriptors.

10 1 SECCOMP - DROPPING PRIVILEGES FROM CONTAINERS CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_NET_ADMIN CAP_SYS_ADMIN Modify process capabilities Insert/Remove kernel modules Modify Kernel Memory Configure process accounting Modify Priority of processes Override Resource Limits Modify the system clock Configure tty devices Write the audit log Configure Audit Subsystem Ignore Kernel MAC Policy Configure MAC Configuration Modify Kernel printk behaviour Configure the network: - Setting the hostname/domainname - mount(),unmount() - nfsservctl -.

11 1 SECCOMP - REMOVE PRIVILEGES FROM CONTAINERS A root user inside a container running in OpenShift has none of the previous capabilities available!

12 1 READ ONLY MOUNTS /sys /proc/sys /proc/sysrg-trigger /proc/irq /proc/bus

13 1 Cgroups - Resource Isolation Container 1 slice CPU Memory Network Storage / IO Container 2 slice

14 2 CONTENT: USE TRUSTED SOURCES Are there known vulnerabilities in the application layer? Are the runtime and OS layers up to date? How frequently will the container be updated and how will I know when it s updated? Red Hat rebuilds container images when security fixes are released

15 2 CONTENT: SCAN YOUR IMAGES (ATOMIC SCAN)

16 2 VULNERABLE? CLOUDFORMS TAKES ACTION!

17 2 VULNERABLE? CLOUDFORMS TAKES ACTION!

18 2 VULNERABLE? CLOUDFORMS TAKES ACTION!

19 2 PREVENT IMAGE FROM RUNNING CloudForms sets the following annotations to prevent the image from running. image.openshift.io/deny-execution: true openshift.io/image.managed: true security.manageiq.org/failed-policy: openscap policy

20 2 PREVENT IMAGE FROM RUNNING

21 3 REGISTRIES: WHERE DO YOUR CONTAINERS COME FROM? Public and private registries What security meta-data is available for your images? Are the images in the registry updated regularly? Are there access controls on the registry? How strong are they? CONTAINER APP RUNTIME OS HOST OS Red Hat Container Registry Policies to control who can deploy which containers Certification Catalog Trusted content with security updates CONTAINER APP RUNTIME OS HOST OS

22 3 Is your registry secure and available?

23 3 RED HAT CONTAINER REGISTRY - LOCAL AND SECURE WITH RBAC

24 3 RESTRICT WHERE YOUR CONTAINERS COME FROM? - name: allow-images-from-internal-registry onresources: - resource: pods - resource: builds matchintegratedregistry: false - name: allow-images-from-dockerhub onresources: - resource: pods - resource: builds matchregistries: - docker.io

25 4 MANAGING CONTAINER BUILDS Security & continuous integration Layered packaging model supports separation of concerns Integrate security testing into your build / CI process Use automated policies to flag builds with issues Trigger automated rebuilds Operations Architects Application developers

26 4 MANAGING CONTAINER BUILDS https://www.youtube.com/watch?v=65bntlcdaji

27 5 OPENSHIFT GET UPDATED IMAGE

28 5 CONTAINER DEPLOYMENT PERMISSIONS (SCC)

29 6 CONTAINER ORCHESTRATION AUTHENTICATION & AUTHORIZATION Use a container orchestration platform with integrated security features including Role-based Access Controls with LDAP and OAuth2 integration Integrated Registry Integrated CI/CD with configurable policies Integrated host OS with embedded security features Network management Storage plug-ins API management

30 6 CONTAINER ORCHESTRATION AUTHENTICATION & AUTHORIZATION (Master) X509 1010101010101010101 0101010101010101010 1010101010101010101 01011010 Quota etcd etcd

31 6 OAuth API Authentication OpenShift includes an OAuth server, which does three things: Identifies the person requesting a token, using a configured identity provider Determines a mapping from that identity to an OpenShift user Allows multiple identities to map to the same OpenShift user Allows deconflicting between identity provider roles Issues an OAuth access token which authenticates that user to the API

32 6 API Authorization - Role Based Role-based Matches request attributes (verb,object,etc) If no roles match, request is denied ( deny by default ) Operator- and user-level roles are defined by default Custom roles are supported

33 6 End to End Two Way SSL Encryption https://developers.redhat.com/blog/2017/01/24/end-to-end-encryption-with-openshift-part-1-two-way-ssl/

6 Isolate Hosts By Region $ oadm new-project myproject \ --node-selector='type=user-node,region=east' Node 1 east pod pod Node 2 east 34 Master / Scheduler Node 1 west Node 2 west

35 7 NETWORK DEFENSE Use network namespaces to Isolate applications from other applications within a cluster Isolate environments (Dev / Test / Prod) from other environments within a cluster

36 7 OVS Bridge jboss-pod 10.129.0.2:8080 hrm-pod 10.129.0.23:8443 Node 1 lbr brx lbr VNID 0 VNID 0 vxlan OVS Bridge brx lbr Route: Jboss.app.redhat.com:80 -> Endpoints: 10.129.0.2:8080 10.129.0.4:8080 VNID 0 VNID 0 Route: hrm.app.redhat.com:443 -> Endpoints: 10.129.0.23:8443 10.129.0.24:8443 Master 1 OpenShift Routing Layer OVS - SUBNET / Reverse Proxy

37 Project 1 Project 2 7 OVS Bridge jboss-pod 10.129.0.2:8080 lbr Node 1 VNID 50 brx OVS - MULTITENANT hrm-pod 10.129.0.23:8443 lbr VNID 60 vxlan OVS Bridge brx lbr Route: Jboss.app.redhat.com:80 -> Endpoints: 10.129.0.2:8080 10.129.0.4:8080 VNID 50 VNID 60 Route: hrm.app.redhat.com:443 -> Endpoints: 10.129.0.23:8443 10.129.0.24:8443 Master 1 OpenShift Routing Layer

38 7 NETWORK DEFENSE Define the traffic flow (TP OCP 3.5) Front end backend pods Allow backend pods to receive traffic from frontend pods

39 7 NETWORK DEFENSE - IPSEC Secure pod communications with IPsec Securing Master and Nodes Traffic encryption L3 Uses OpenShift CA Master P1 172.16.0.0/16 P2 Nodes

40 8 ATTACHED STORAGE Secure storage by using SELinux access controls Secure mounts Supplemental group IDs for shared storage

8 STORAGE ISOLATION Admin provisions storage User requests storage Claim usage 41

8 STORAGE ISOLATION Create app with storage SCC access Layer supplementalgroups fsgroup selinuxoption runasuser Check for UID/GIDfor access to shared storage? Is the pod s "file system group" ID correct for the block storage? Is the selinuxcontext user, role,type set and is this user allowed to mount it? What is the RunAsUser or MustRunAsRange? 42

43 9 API MANAGEMENT Container platform & application APIs Authentication and authorization LDAP integration End-point access controls Rate limiting

10 FEDERATED CLUSTERS (Roadmap) ROLES & ACCESS MANAGEMENT Securing federated clusters across data centers or environments Authentication and authorization API endpoints Secrets Namespaces 44 Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016

45 10 FEDERATED CLUSTERS (Roadmap) ROLES & ACCESS MANAGEMENT Ubernetes API Repl Ctrl state Kubernetes Cluster Kubernetes Cluster API API Repl Ctrl state Repl Ctrl Source: Building Globally Distributed Services using Kubernetes Cluster Federation. October 14, 2016 state

BRINGING IT ALL TOGETHER Self-Service Service Catalog (Language Runtimes, Middleware, Databases) Build Automation Deployment Automation Web & Mobile Contaner OpenShift Application Lifecycle Management (CI/CD) Data & Storage Container Orchestration & Cluster Management (kubernetes) Networking Storage Registry Logs & Metrics Infrastructure Automation & Cockpit Security Container Integration Container Enterprise Container Host Container Runtime & Packaging (Docker) Business Automation Container Atomic 46 Host Red Hat Enterprise Linux Physical Virtual Private cloud Public cloud

THANK YOU 47

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback