Completed
Spoiler: Containers Aren't Sandboxes
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Living in a Secure Container Down by the River
Automatically move to the next video in the Classroom when playback concludes
- 1 Living in a Secure Container, Down
- 2 In the Beginning
- 3 Spoiler: Containers Aren't Sandboxes
- 4 Isolating Container Workloads, IRL
- 5 The Gateway Drug
- 6 Container Isolation Models Via cgroups & namespaces Docker, Rkt, LXC
- 7 Open Container Initiative (OCI) Spec • Defines image and runtime attributes
- 8 Control Groups & Namespaces By UID, GID, PID
- 9 gVisor User-space Kernel
- 10 Kata Containers + Hypervisor Previously Intel Clear Containers Container runtime executes within a true hypervisor Provides an extra layer of isolation between the container and host OS
- 11 Implementation Flaw - Account Reuse By default, K8s uses the namespace default service account if you don't define one for your pod.
- 12 Network Policies This is often a good problem to solve at the orchestration layer. Restrict egress traffic by default and whitelist exceptions
- 13 Leveraging Good Design Patterns
- 14 No New Privileges Introduced in Linux 3.5, uses the no_new_privs kernel flag
- 15 Read-Only Containers Prevents writing to the root filesystem Reduces an attacker's ability to modify files and/or elevate privileges
- 16 Building Policies How many of your Java developers understand SELinux?
- 17 Conclusion Container isolation goes beyond the runtimes themselves