2018-014- Container Security with Jay Beale


Manage episode 204674320 series 124251
By Discovered by Player FM and our community — copyright is owned by the publisher, not Player FM, and audio streamed directly from their servers.

Container security

Jay Beale @inguardians , @jaybeale


  • What the heck is a container?
    • Linux distribution with a kernel
      • Containers run on top of that, sharing the kernel, but not the filesystem
    • Namespaces
      • Mount
      • Network
      • Hostname
      • PID
      • IPC
      • Users
  • Somebody said we’ve had containers since before Docker
    • Containers started in 2005, with OpenVZ
    • Docker was 2013, Kubernetes 2014
  • Image Security
    • CoreOS Clair for vuln scanning images
    • Public repos vs private
    • Don’t keep the image running for so long?
    • Don’t run as root
  • More Containment stuff
    • Non-privileged containers
    • Remap the users, so root in container isn’t root outside
    • Drop root capabilities
    • Seccomp for kernel syscalls
    • AppArmor or SELinux
  • All of above is about Docker, what about Kubernetes
    • Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements
    • Network policy (egress firewalls)
    • RBAC (define what users and service accounts can do what)
    • Use namespaces per tenant and think hard about multi-tenancy
    • Use the CIS guides for lockdown of K8S and the host
    • Kube-bench

Difference between containers and sandboxing

Roll your own -


Using public registries - leave you vulnerable

Use your own private repos for deploying containers

Reduce attack surface

Reduce user access

Automation will allow more security to get baked in.






S3 buckets / Azure Blobs



Join our #Slack Channel! Email us at bds.podcast@gmail.com

or DM us on Twitter @brakesec

#Spotify: https://brakesec.com/spotifyBDS

#RSS: https://brakesec.com/BrakesecRSS

#Youtube Channel: http://www.youtube.com/c/BDSPodcast

#iTunes Store Link: https://brakesec.com/BDSiTunes

#Google Play Store: https://brakesec.com/BDS-GooglePlay

Our main site: https://brakesec.com/bdswebsite

#iHeartRadio App: https://brakesec.com/iHeartBrakesec

#SoundCloud: https://brakesec.com/SoundcloudBrakesec

Comments, Questions, Feedback: bds.podcast@gmail.com

Support Brakeing Down Security Podcast by using our #Paypal: https://brakesec.com/PaypalBDS OR our #Patreon


#Twitter: @brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM : https://brakesec.com/BDS-PlayerFM

#Stitcher Network: https://brakesec.com/BrakeSecStitcher

#TuneIn Radio App: https://brakesec.com/TuneInBrakesec

273 episodes available. A new episode about every 7 days averaging 53 mins duration .