Living in a Secure Container Down by the River

Living in a Secure Container Down by the River

via YouTube Direct link

Conclusion Container isolation goes beyond the runtimes themselves

17 of 17

17 of 17

Conclusion Container isolation goes beyond the runtimes themselves

Class Central Classrooms beta

YouTube videos curated by Class Central.

Classroom Contents

Living in a Secure Container Down by the River

Automatically move to the next video in the Classroom when playback concludes

  1. 1 Living in a Secure Container, Down
  2. 2 In the Beginning
  3. 3 Spoiler: Containers Aren't Sandboxes
  4. 4 Isolating Container Workloads, IRL
  5. 5 The Gateway Drug
  6. 6 Container Isolation Models Via cgroups & namespaces Docker, Rkt, LXC
  7. 7 Open Container Initiative (OCI) Spec • Defines image and runtime attributes
  8. 8 Control Groups & Namespaces By UID, GID, PID
  9. 9 gVisor User-space Kernel
  10. 10 Kata Containers + Hypervisor Previously Intel Clear Containers Container runtime executes within a true hypervisor Provides an extra layer of isolation between the container and host OS
  11. 11 Implementation Flaw - Account Reuse By default, K8s uses the namespace default service account if you don't define one for your pod.
  12. 12 Network Policies This is often a good problem to solve at the orchestration layer. Restrict egress traffic by default and whitelist exceptions
  13. 13 Leveraging Good Design Patterns
  14. 14 No New Privileges Introduced in Linux 3.5, uses the no_new_privs kernel flag
  15. 15 Read-Only Containers Prevents writing to the root filesystem Reduces an attacker's ability to modify files and/or elevate privileges
  16. 16 Building Policies How many of your Java developers understand SELinux?
  17. 17 Conclusion Container isolation goes beyond the runtimes themselves

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.