Completed
Implementation Flaw - Account Reuse By default, K8s uses the namespace default service account if you don't define one for your pod.
Class Central Classrooms beta
YouTube videos curated by Class Central.
Classroom Contents
Living in a Secure Container Down by the River
Automatically move to the next video in the Classroom when playback concludes
- 1 Living in a Secure Container, Down
- 2 In the Beginning
- 3 Spoiler: Containers Aren't Sandboxes
- 4 Isolating Container Workloads, IRL
- 5 The Gateway Drug
- 6 Container Isolation Models Via cgroups & namespaces Docker, Rkt, LXC
- 7 Open Container Initiative (OCI) Spec • Defines image and runtime attributes
- 8 Control Groups & Namespaces By UID, GID, PID
- 9 gVisor User-space Kernel
- 10 Kata Containers + Hypervisor Previously Intel Clear Containers Container runtime executes within a true hypervisor Provides an extra layer of isolation between the container and host OS
- 11 Implementation Flaw - Account Reuse By default, K8s uses the namespace default service account if you don't define one for your pod.
- 12 Network Policies This is often a good problem to solve at the orchestration layer. Restrict egress traffic by default and whitelist exceptions
- 13 Leveraging Good Design Patterns
- 14 No New Privileges Introduced in Linux 3.5, uses the no_new_privs kernel flag
- 15 Read-Only Containers Prevents writing to the root filesystem Reduces an attacker's ability to modify files and/or elevate privileges
- 16 Building Policies How many of your Java developers understand SELinux?
- 17 Conclusion Container isolation goes beyond the runtimes themselves