All Things Open, profile picture
Uploaded byAll Things Open
PDF, PPTX206 views

Securing Applications and Pipelines on a Container Platform

The document provides a comprehensive overview of securing applications on a container platform, focusing on various aspects like container security at different stages (host, build, runtime) and the role of host OS and Linux namespaces. It discusses important security mechanisms such as SELinux for access control, Linux cgroups for resource management, and container image governance along with compliance policies. The session emphasizes best practices for container deployment, management responsibilities, and tools for scanning containers for vulnerabilities.

Technology
Related topics:
All Things Open

Embed presentation

Download as PDF, PPTX
@OpenShift RHOpenShift Securing Applications on a Container Platform Presenter: Veer Muchandi Title: Chief Architect, Container Solutions, NACS Social Handle: @VeerMuchandi Blogs: https://blog.openshift.com/author/veermuchandi/
Session Goals Considerations for Security on a Container Platform Containers - A quick look Container Security at Host Operating System Container Security at Build time Container Security at Runtime Container Platform (K8S Cluster) - Additional Security Features Application Security
Understanding Containers
Common Misunderstanding
Right Way
Can malicious containers steal info?
Can bad processes choke others?
How can processes with different technologies coexist?
Container separation ● Containers all share the same kernel ● Containers security is about controlling the access to the kernel ● Limit the ability of the container to negatively impact ○ host ○ other containers sharing host
Container Security Importance of Host OS And Windows
Linux Containers Architecture
Isolation with Linux Namespaces PID namespace The first process is pid 1 in the container. Namespace destroyed as PID exits. Cannot see/signal processes in parent pid namespace or other pid namespaces Network namespace Allows container to use separate virtual network stack, loopback device and process space veth pairs are created to add interfaces from initial network namespace to container network namespace Mount namespace Isolate the set of file system mount points. Mount sys directories as read only and nodev Each process gets its own mount table i.e. view of the filesystem UTS namespace isolate system identifiers – hostname and domain name I IPC namespace isolate certain interprocess communication (IPC) resources User namespace Allow you to specify a range of host UIDs dedicated to the container. A process can have full root privileges for operations inside the container mapped to non-root user on host.
Linux CGroups Ensures that a single container cannot exhaust a large amount of system resources CGroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks In a container: # ls /sys/fs/cgroup/ blkio cpu cpuacct cpuacct,cpu cpuset devices freezer hugetlb memory net_cls net_prio net_prio,net_cls perf_event pids systemd # cat /sys/fs/cgroup/cpu/cpu.shares 2 # cat /sys/fs/cgroup/memory/memory.limit_in_bytes 9223372036854771712 Device CGroups ● specify which device nodes can be used within the container ● blocks the processes from creating and using device nodes that could be used to attack the host.
14 SELinux and Type Enforcement ● Implements Mandatory Access Control ● A LABELING system ● Every process has a LABEL. Every file, directory, and system object has a LABEL ● Policy rules control access between labeled processes and labeled objects ● The kernel enforces the rules. ● Type Enforcement protects the host system from container processes All container processes run with type svirt_lxc_net_t Content within the container is labeled with type svirt_sandbox_file_t svirt_lxc_net_t ● allowed to manage any content labeled svirt_sandbox_file_t ● able to read/execute most labels under /usr on the host ● not allowed to open/write to any other labels on the system ● not allowed to read any default labels in /var, /root, /home etc
MCS protects Containers from each other Based on Multi Level Security (MLS) Container Runtime picks out unique random MCS Label s0:c1,c2 Assigns MCS Label to all content Launches the container processes with same label Container Processes can only read/write their own files - Kernel enforces this Multi Category Security (MCS) Enforcement
https://people.redhat.com/duffy/selinux/seli nux-coloring-book_A4-Stapled.pdf
17 CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_NET_ADMIN CAP_SYS_ADMIN Modify process capabilities Insert/Remove kernel modules Modify Kernel Memory Configure process accounting Modify Priority of processes Override Resource Limits Modify the system clock Configure tty devices Write the audit log Configure Audit Subsystem Ignore Kernel MAC Policy Configure MAC Configuration Modify Kernel printk behaviour Configure the network: Catch all - Setting the hostname/domainname - mount(),unmount() - nfsservctl - …. Linux Capabilities Kernel 2.2 divides root privileges into 32 distinct capabilities (now 37) Root user with all capabilities is all powerful!!
Drop Capabilities ● CHOWN the ability to make arbitrary changes to file UIDs and GIDs ● DAC_OVERRIDE allows root to bypass file read, write, and execute permission checks ● FOWNER ability to bypass permission checks on operations where the filesystem process UID should match file UID ● FSETID override file owner and group reqmts when setting setuid or setgid bits on a file ● KILL root owned process can send kill signals to non root processes ● SETGID and SETUID ● SETPCAP a process can change its current capability set within its bounding set ● NET_BIND_SERVICE you can bind to privileged ports (e.g., those below 1024) ● NET_RAW allows a process to spy on packets on its network ● SYS_CHROOT allows your processes to chroot into a different rootfs ● MKNOD allows your processes to create device nodes ● AUDIT_WRITE you can write a message to kernel auditing log ● SET_FCAP allows you to set file capabilities on a file system 14 Default capabilities available in a Docker Container Do really think containers need these default capabilities in production ?? A good strategy is to drop all capabilities and just add the needed ones back.. Example # podman run -d --cap-add SYS_TIME ntpd Dockerfile LABEL “io.containers.capabilities=SETUID,SETGID”
Secure Computing Mode - Seccomp Filters system calls from a container to the kernel. Uses Berkeley Packet Filter (BPF) system Children to a container process will inherit the BPF filter Provides more fine-grained control than capabilities, giving an attacker a limited number of syscalls from the container Restricted and allowed calls are arranged in profiles, pass different profiles to different containers Specify your own policy # podman run --security-opt seccomp=/path/to/custom/profile.json <container> Seccomp Filter generator: https://github.com/containers/oci-seccomp-bpf-hook
20 Read Only Mounts Linux kernel file systems have to be mounted in a container environment or processes would fail to run Fortunately, most of these file systems can be mounted as "read-only" on RHEL. /sys /proc/sys /proc/sysrg-trigger /proc/irq /proc/bus Some platforms (OpenShift) also block the ability of the privileged container processes from re-mounting the file systems as read/write
Container Build Time Security
● Red Hat Container Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP 22 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Trusting Container Content
23 Container Health Index https://access.redhat.com/articles/2803031
Container Image Provenance ● Did the image come from a trusted source? ● Are you verifying image signatures? ● Are you signing container images? $ podman image sign --sign-by foo@bar.com --directory /tmp/signatures docker://privateregistry.example.com/foobar Example: Image signing with Podman
Private Registries Enterprise security policies may not allow your Container Images to be pushed to a registry outside. Or what if public registry (like DockerHub) is down? Caching images in Private Registry - Red Hat’s Quay - JFrog Artifactory - Docker Trusted Registry
26 Restrict Registry Sources $ oc edit images.config.openshift.io cluster spec: registrySources: blockedRegistries: - docker.io Example: Restricting Container Registries in OpenShift ● Restrict pulling images from specific registries of your choice
Container Image Management Responsibilities Operations/ Infrastructure admin - Maintain Trusted OS Base Images (RHEL, UBI) - Ensure these are good with Linux Kernel Middleware Engineers/Architects - Maintain Middleware Images - Control build process - S2I, CICD - Reference Architectures with Trusted middleware Development teams - Write code that layers on approved images - Ensure code is clean, open source software vulnerabilities are handled
Scanning Containers
Container Scanning Frequency Scan containers as soon as they are created Scan containers that get into enterprise registry Ongoing basis- Identify any new vulnerabilities
30 Scanning Containers at Creation https://www.youtube.com/watch?v=65BnTLcDAJI Git Repo Nexus Sonar Qube Quay Registry Claire scan
Scanning Tools Claire scanner with Red Hat’s Quay BlackDuck JFrog XRay Twistlock Sysdig
Additional Container Platform Security Features
Automating Security Compliance for Infrastructure OpenSCAP Compliance
3434 Policy based Governance, Risk and Compliance • Centrally set & enforce policies for security, applications, & infrastructure • Quickly visualize detailed auditing on configuration of apps and clusters • Built-in CIS compliance policies and audit checks • Immediate visibility into your compliance posture based on your defined standards Don’t have to wait for your security team to tap you on the shoulder
• – – • – – – • • …
In Kubernetes, containers in pods run with the role assigned to a special user called Service Account
38 Container Deployment Permissions with Pod Security Policies (PSP) or with Security Context Constraints (SCC)
Securing Applications (running as containers)
Microsegmentation with Network Policy Objects ● Lock everything by default ● Add Network Policies to allow specific ingress traffic
SSL at Ingress Edge termination Passthrough termination Reencrypt
Specific IP Whitelists at Ingress - Restrict access to a route to a select IP address(es) - Annotate the route with the whitelisted/allowed IP addresses - Connections from any other IPs are blocked metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11
Istio Service Mesh on OpenShift Connect, Manage, and Secure Microservices, transparently ● Intelligent Routing ● Load Balancing ● Service Resilience ● Telemetry and Reporting ● Policy Enforcement ● Content based Filtering (Layer 7) ● mTLS between services ● East-West traffic control
End to End Encryption with Istio Service mesh Uses Service Account as Identity. SPIFFE Id format spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> Mutual TLS between sidecars Istio CA - Generate cert pair and SPIFFE key for each SA - Distribute key and cert pairs - Rotate keys and certs periodically - Revoke key and cert when need
Secrets to store sensitive data kubernetesMasterConfig: apiServerArguments: experimental-encryption-provider-config: - /path/to/encryption.config
Egress IP for all traffic from a Project
Egress Firewall to Limit Access Cluster admin can limit the external addresses accessed by some or all pods from within the cluster Examples: A pod can talk to hosts (outside OpenShift cluster) but cannot connect to public internet A pod can talk to public internet, but cannot connect to hosts (outside OpenShift cluster) A pod cannot reach specific subnets/hosts
API Management SSL Secrets Connecting to external services Summary: Application Security
Questions
@OpenShift RHOpenShift Thank you!!
57 SELINUX - MAC - MCS - Process system_u:system_r:container_runtime_t:s0 SElinux Policy module for the container The OOTB SElinux policy container.te defines what you can execute and access with the label container_runtime_t [root@osemaster ~]# ps -efZ | grep docker-containerd-shim-current system_u:system_r:container_runtime_t:s0 root 3035 1479 0 Feb15 ? 00:00:01 /usr/bin/docker-containerd-shim-current 4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /var/run/docker/libcontainerd/4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /usr/libexec/docker/docker-runc-current
58 SELINUX - MAC - MCS - Files container_var_lib_t / svirt_sandbox_file_t SElinux Policy module for the container [root@osemaster ~]# ls -lZ /var/lib/docker/containers/97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737 / -rw-r-----. root root system_u:object_r:container_var_lib_t:s0 97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737-json.log -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 config.v2.json -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 hostconfig.json -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 hostname -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 hosts -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 resolv.conf -rw-r--r--. root root system_u:object_r:container_var_lib_t:s0 resolv.conf.hash drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 secrets drwx------. root root system_u:object_r:container_var_lib_t:s0 shm

More Related Content

PDF
Kubernetes in Docker
byDocker, Inc.
 
PDF
Securing Your Resources with Short-Lived Certificates!
byAll Things Open
 
PDF
Introduction to Containers: From Docker to Kubernetes and everything in-between
byAll Things Open
 
PDF
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
byVincenzo Ferme
 
PDF
Containers in depth – Understanding how containers work to better work with c...
byAll Things Open
 
PDF
Kubernetes - how to orchestrate containers
byinovex GmbH
 
PDF
Containers in depth – understanding how containers work to better work with c...
byAll Things Open
 
PPTX
Open shift enterprise 3.1 paas on kubernetes
bySamuel Terburg
 
Kubernetes in Docker
byDocker, Inc.
 
Securing Your Resources with Short-Lived Certificates!
byAll Things Open
 
Introduction to Containers: From Docker to Kubernetes and everything in-between
byAll Things Open
 
Using Docker Containers to Improve Reproducibility in Software and Web Engine...
byVincenzo Ferme
 
Containers in depth – Understanding how containers work to better work with c...
byAll Things Open
 
Kubernetes - how to orchestrate containers
byinovex GmbH
 
Containers in depth – understanding how containers work to better work with c...
byAll Things Open
 
Open shift enterprise 3.1 paas on kubernetes
bySamuel Terburg
 

What's hot

PDF
Introduction of Docker and Docker Compose
byDr. Ketan Parmar
 
PDF
Docker Advanced registry usage
byDocker, Inc.
 
PDF
Journey to the devops automation with docker kubernetes and openshift
byYusuf Hadiwinata Sutandar
 
PPTX
Docker Roadshow 2016
byDocker, Inc.
 
PPTX
Enabling Production Grade Containerized Applications through Policy Based Inf...
byDocker, Inc.
 
PDF
Tupperware: Containerized Deployment at FB
byDocker, Inc.
 
PPTX
Using Docker EE to Scale Operational Intelligence at Splunk
byDocker, Inc.
 
PDF
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
bybrendandburns
 
PDF
Kubernetes laravel and kubernetes
byWilliam Stewart
 
PDF
Pluggable Infrastructure with CI/CD and Docker
byBob Killen
 
PDF
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
byDocker, Inc.
 
PPTX
DockerCon EU 2015: Nesting Containers: Real Life Observations
byDocker, Inc.
 
PPTX
Docker Meetup 08 03-2016
byDocker
 
PDF
Multi-Container Apps spanning Docker, Mesos and OpenStack
byDocker, Inc.
 
PDF
Docker Meetup - Melbourne 2015 - Kubernetes Deep Dive
byKen Thompson
 
PPTX
LlinuxKit security, Security Scanning and Notary
byDocker, Inc.
 
PDF
containerd summit - Deep Dive into containerd
byDocker, Inc.
 
PPTX
Introducing LinuxKit
byDocker, Inc.
 
PDF
Modernizing Java Apps with Docker
byDocker, Inc.
 
PDF
Back to the Future: Containerize Legacy Applications
byDocker, Inc.
 
Introduction of Docker and Docker Compose
byDr. Ketan Parmar
 
Docker Advanced registry usage
byDocker, Inc.
 
Journey to the devops automation with docker kubernetes and openshift
byYusuf Hadiwinata Sutandar
 
Docker Roadshow 2016
byDocker, Inc.
 
Enabling Production Grade Containerized Applications through Policy Based Inf...
byDocker, Inc.
 
Tupperware: Containerized Deployment at FB
byDocker, Inc.
 
Using Docker EE to Scale Operational Intelligence at Splunk
byDocker, Inc.
 
Containers, Clusters and Kubernetes - Brendan Burns - Defrag 2014
bybrendandburns
 
Kubernetes laravel and kubernetes
byWilliam Stewart
 
Pluggable Infrastructure with CI/CD and Docker
byBob Killen
 
Effective Data Pipelines with Docker & Jenkins - Brian Donaldson
byDocker, Inc.
 
DockerCon EU 2015: Nesting Containers: Real Life Observations
byDocker, Inc.
 
Docker Meetup 08 03-2016
byDocker
 
Multi-Container Apps spanning Docker, Mesos and OpenStack
byDocker, Inc.
 
Docker Meetup - Melbourne 2015 - Kubernetes Deep Dive
byKen Thompson
 
LlinuxKit security, Security Scanning and Notary
byDocker, Inc.
 
containerd summit - Deep Dive into containerd
byDocker, Inc.
 
Introducing LinuxKit
byDocker, Inc.
 
Modernizing Java Apps with Docker
byDocker, Inc.
 
Back to the Future: Containerize Legacy Applications
byDocker, Inc.
 

Similar to Securing Applications and Pipelines on a Container Platform

PDF
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 
PDF
Security on a Container Platform
byAll Things Open
 
PDF
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
PDF
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
PPT
What You Should Know About Container Security
byAll Things Open
 
PDF
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
ODP
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
PDF
Container Security
bySalman Baset
 
PDF
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
PDF
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
PDF
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
PDF
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
PPTX
Container security
byAnthony Chow
 
PDF
Docker London: Container Security
byPhil Estes
 
PDF
Veer's Container Security
byJim Barlow
 
PPT
Container security
byAnthony Chow
 
PDF
Securing Containerized Applications: A Primer
byPhil Estes
 
PDF
Containers and security
bysriram_rajan
 
PDF
Docker Container: isolation and security
by宇 傅
 
PDF
Securing Containerized Applications: A Primer
byPhil Estes
 
Securing Applications and Pipelines on a Container Platform
byAll Things Open
 
Security on a Container Platform
byAll Things Open
 
How Secure Is Your Container? ContainerCon Berlin 2016
byPhil Estes
 
Docker, Linux Containers (LXC), and security
byJérôme Petazzoni
 
What You Should Know About Container Security
byAll Things Open
 
Ten layers of container security for CloudCamp Nov 2017
byGordon Haff
 
Practical Container Security by Mrunal Patel and Thomas Cameron, Red Hat
byDocker, Inc.
 
Container Security
bySalman Baset
 
Docker, Linux Containers, and Security: Does It Add Up?
byJérôme Petazzoni
 
LXC, Docker, security: is it safe to run applications in Linux Containers?
byJérôme Petazzoni
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
byPhil Estes
 
Unraveling Docker Security: Lessons From a Production Cloud
bySalman Baset
 
Container security
byAnthony Chow
 
Docker London: Container Security
byPhil Estes
 
Veer's Container Security
byJim Barlow
 
Container security
byAnthony Chow
 
Securing Containerized Applications: A Primer
byPhil Estes
 
Containers and security
bysriram_rajan
 
Docker Container: isolation and security
by宇 傅
 
Securing Containerized Applications: A Primer
byPhil Estes
 

More from All Things Open

PDF
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
PDF
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
PDF
Supply Chain Robots, Electric Sheep, and SLSA
byAll Things Open
 
PDF
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
PDF
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
PDF
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
PDF
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
PDF
Let's Create a GitHub Copilot Extension! - Nick Taylor, Pomerium
byAll Things Open
 
PDF
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
byAll Things Open
 
PDF
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
PPTX
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
PDF
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 
PDF
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
PDF
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
PPTX
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
PPTX
Big Data on a Small Budget: Scalable Data Visualization for the Rest of Us - ...
byAll Things Open
 
PDF
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
PDF
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
PDF
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
PDF
The Missing Link to Inclusion and Performance
byAll Things Open
 
Developing Kubernetes Integrations for the On-Premises Cloud
byAll Things Open
 
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
Supply Chain Robots, Electric Sheep, and SLSA
byAll Things Open
 
Everything You Need to Know About Running LLMs Locally
byAll Things Open
 
Authoring a GNOME Shell Extension: A Developer's Journey as an Open-Source Pr...
byAll Things Open
 
Linux Command-line Tips and Tricks - ATO 2025
byAll Things Open
 
Agentic AI, Interoperability, and Automation: Lessons from the Past, Visions ...
byAll Things Open
 
Let's Create a GitHub Copilot Extension! - Nick Taylor, Pomerium
byAll Things Open
 
AI 3-in-1: Agents, RAG, and Local Models - Brent Laster
byAll Things Open
 
Incorporating AI Into Your SDLC: Leveraging AI tooling across the phases of y...
byAll Things Open
 
AI and Linux in 2025 - Jay LaCroix, Learn Linux TV
byAll Things Open
 
Agentic AI for Developers and Data Scientists Build an AI Agent in 10 Lines o...
byAll Things Open
 
With AIs Wide Open… - All Things Open 2025
byAll Things Open
 
Unconventional Backgrounds: The Secret Sauce of Diversity
byAll Things Open
 
What If the Quietest Person is the Smartest in the Room?
byAll Things Open
 
Big Data on a Small Budget: Scalable Data Visualization for the Rest of Us - ...
byAll Things Open
 
ERG as a Bridge: Driving Inclusion in Open Source
byAll Things Open
 
Tech Hiring Is Not Dead - You Just Actually Have To Try
byAll Things Open
 
Keynote: X-rAI Specs, Submarines and Juice
byAll Things Open
 
The Missing Link to Inclusion and Performance
byAll Things Open
 

Recently uploaded

PDF
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
PDF
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
PDF
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
PDF
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
PDF
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
PDF
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
PPTX
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
PPTX
Discover - Assemble - and Gain Insights into your Content with SharePoint Con...
byDrew Madelung
 
PPTX
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
PDF
Getting started with Agent Framework.pdf
byNilesh Gule
 
PDF
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
PDF
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
PDF
Agile Trailblazers (Scrum Masters, Product Owners, Coaches, Project Managers,...
byScott M. Graffius
 
PPTX
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
PDF
Why B2B SaaS Firms Should Invest in Data Appending for Marketing List Upgrades
byAndrew Leo
 
PDF
Digital Garage Certification - Google - Viktor Huszag - Online Marketing Fund...
byViktor Huszag
 
Access Network Attached Storage in RHEL - RHCSA (RH134).pdf
byLinuxCert Guru
 
Open Source SecurityCon 2025 in Atlanta - Transparency Exchange API: Where To...
byPavel Shukhman
 
The Future of Database Diagnostics is a Conversation with Oracle AHF Fleet In...
bySandesh Rao
 
Tune System Performance - RHCSA (RH134).pdf
byLinuxCert Guru
 
Automating ArcGIS Enterprise Compliance for Operational Excellence
bySafe Software
 
Infuse Intelligence Into your App with Foundry Local
byNilesh Gule
 
Unveiling the Basics of Agentic AI - OSUG Mumbai
bythesubuiyer
 
What's Driving Growth in the Video Surveillance Market 2025?
byMemoori
 
Governance, Deployment & Methodologies for Agentic Automation [2/3]
bysuhanisingh58689
 
Discover - Assemble - and Gain Insights into your Content with SharePoint Con...
byDrew Madelung
 
Standardising and simplifying systems and data management - Esri UK Welsh Con...
byEsri UK
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
Case Study: How LKQ Corporation Improved Training Efficiency & Delivery
byRustici Software
 
Getting started with Agent Framework.pdf
byNilesh Gule
 
#MakeAIMatter for HR Professionals | AI Transformation Workshop by Tekdi Tech...
byParth Lawate
 
The Accel 2025 Globalscape: Race for compute
byPhilippe Botteri
 
Agile Trailblazers (Scrum Masters, Product Owners, Coaches, Project Managers,...
byScott M. Graffius
 
Bulwark Pokemon League Top 8 graphic archive
byGc Howard
 
Why B2B SaaS Firms Should Invest in Data Appending for Marketing List Upgrades
byAndrew Leo
 
Digital Garage Certification - Google - Viktor Huszag - Online Marketing Fund...
byViktor Huszag
 

Securing Applications and Pipelines on a Container Platform

  • 1.
    @OpenShift RHOpenShift Securing Applications ona Container Platform Presenter: Veer Muchandi Title: Chief Architect, Container Solutions, NACS Social Handle: @VeerMuchandi Blogs: https://blog.openshift.com/author/veermuchandi/
  • 2.
    Session Goals Considerations forSecurity on a Container Platform Containers - A quick look Container Security at Host Operating System Container Security at Build time Container Security at Runtime Container Platform (K8S Cluster) - Additional Security Features Application Security
  • 3.
  • 4.
  • 5.
  • 6.
  • 7.
    Can bad processeschoke others?
  • 8.
    How can processeswith different technologies coexist?
  • 9.
    Container separation ● Containersall share the same kernel ● Containers security is about controlling the access to the kernel ● Limit the ability of the container to negatively impact ○ host ○ other containers sharing host
  • 10.
  • 11.
  • 12.
    Isolation with LinuxNamespaces PID namespace The first process is pid 1 in the container. Namespace destroyed as PID exits. Cannot see/signal processes in parent pid namespace or other pid namespaces Network namespace Allows container to use separate virtual network stack, loopback device and process space veth pairs are created to add interfaces from initial network namespace to container network namespace Mount namespace Isolate the set of file system mount points. Mount sys directories as read only and nodev Each process gets its own mount table i.e. view of the filesystem UTS namespace isolate system identifiers – hostname and domain name I IPC namespace isolate certain interprocess communication (IPC) resources User namespace Allow you to specify a range of host UIDs dedicated to the container. A process can have full root privileges for operations inside the container mapped to non-root user on host.
  • 13.
    Linux CGroups Ensures thata single container cannot exhaust a large amount of system resources CGroups allocate CPU time, system memory, network bandwidth, or combinations of these among user-defined groups of tasks In a container: # ls /sys/fs/cgroup/ blkio cpu cpuacct cpuacct,cpu cpuset devices freezer hugetlb memory net_cls net_prio net_prio,net_cls perf_event pids systemd # cat /sys/fs/cgroup/cpu/cpu.shares 2 # cat /sys/fs/cgroup/memory/memory.limit_in_bytes 9223372036854771712 Device CGroups ● specify which device nodes can be used within the container ● blocks the processes from creating and using device nodes that could be used to attack the host.
  • 14.
    14 SELinux and TypeEnforcement ● Implements Mandatory Access Control ● A LABELING system ● Every process has a LABEL. Every file, directory, and system object has a LABEL ● Policy rules control access between labeled processes and labeled objects ● The kernel enforces the rules. ● Type Enforcement protects the host system from container processes All container processes run with type svirt_lxc_net_t Content within the container is labeled with type svirt_sandbox_file_t svirt_lxc_net_t ● allowed to manage any content labeled svirt_sandbox_file_t ● able to read/execute most labels under /usr on the host ● not allowed to open/write to any other labels on the system ● not allowed to read any default labels in /var, /root, /home etc
  • 15.
    MCS protects Containersfrom each other Based on Multi Level Security (MLS) Container Runtime picks out unique random MCS Label s0:c1,c2 Assigns MCS Label to all content Launches the container processes with same label Container Processes can only read/write their own files - Kernel enforces this Multi Category Security (MCS) Enforcement
  • 16.
  • 17.
    17 CAP_SETPCAP CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_PACCT CAP_SYS_NICE CAP_SYS_RESOURCE CAP_SYS_TIME CAP_SYS_TTY_CONFIG CAP_AUDIT_WRITE CAP_AUDIT_CONTROL CAP_MAC_OVERRIDE CAP_MAC_ADMIN CAP_SYSLOG CAP_NET_ADMIN CAP_SYS_ADMIN Modify process capabilities Insert/Removekernel modules Modify Kernel Memory Configure process accounting Modify Priority of processes Override Resource Limits Modify the system clock Configure tty devices Write the audit log Configure Audit Subsystem Ignore Kernel MAC Policy Configure MAC Configuration Modify Kernel printk behaviour Configure the network: Catch all - Setting the hostname/domainname - mount(),unmount() - nfsservctl - …. Linux Capabilities Kernel 2.2 divides root privileges into 32 distinct capabilities (now 37) Root user with all capabilities is all powerful!!
  • 18.
    Drop Capabilities ● CHOWNthe ability to make arbitrary changes to file UIDs and GIDs ● DAC_OVERRIDE allows root to bypass file read, write, and execute permission checks ● FOWNER ability to bypass permission checks on operations where the filesystem process UID should match file UID ● FSETID override file owner and group reqmts when setting setuid or setgid bits on a file ● KILL root owned process can send kill signals to non root processes ● SETGID and SETUID ● SETPCAP a process can change its current capability set within its bounding set ● NET_BIND_SERVICE you can bind to privileged ports (e.g., those below 1024) ● NET_RAW allows a process to spy on packets on its network ● SYS_CHROOT allows your processes to chroot into a different rootfs ● MKNOD allows your processes to create device nodes ● AUDIT_WRITE you can write a message to kernel auditing log ● SET_FCAP allows you to set file capabilities on a file system 14 Default capabilities available in a Docker Container Do really think containers need these default capabilities in production ?? A good strategy is to drop all capabilities and just add the needed ones back.. Example # podman run -d --cap-add SYS_TIME ntpd Dockerfile LABEL “io.containers.capabilities=SETUID,SETGID”
  • 19.
    Secure Computing Mode- Seccomp Filters system calls from a container to the kernel. Uses Berkeley Packet Filter (BPF) system Children to a container process will inherit the BPF filter Provides more fine-grained control than capabilities, giving an attacker a limited number of syscalls from the container Restricted and allowed calls are arranged in profiles, pass different profiles to different containers Specify your own policy # podman run --security-opt seccomp=/path/to/custom/profile.json <container> Seccomp Filter generator: https://github.com/containers/oci-seccomp-bpf-hook
  • 20.
    20 Read Only Mounts Linuxkernel file systems have to be mounted in a container environment or processes would fail to run Fortunately, most of these file systems can be mounted as "read-only" on RHEL. /sys /proc/sys /proc/sysrg-trigger /proc/irq /proc/bus Some platforms (OpenShift) also block the ability of the privileged container processes from re-mounting the file systems as read/write
  • 21.
  • 22.
    ● Red HatContainer Registry ● Policies to control who can deploy which containers ● Certification Catalog ● Trusted content with security updates HOST OS CONTAINER OS RUNTIME APP HOST OS CONTAINER OS RUNTIME APP 22 Image governance and private registries ● What security meta-data is available for your images? ● Are the images in the registry updated regularly? ● Are there access controls on the registry? How strong are they? Trusting Container Content
  • 23.
  • 24.
    Container Image Provenance ●Did the image come from a trusted source? ● Are you verifying image signatures? ● Are you signing container images? $ podman image sign --sign-by [email protected] --directory /tmp/signatures docker://privateregistry.example.com/foobar Example: Image signing with Podman
  • 25.
    Private Registries Enterprise securitypolicies may not allow your Container Images to be pushed to a registry outside. Or what if public registry (like DockerHub) is down? Caching images in Private Registry - Red Hat’s Quay - JFrog Artifactory - Docker Trusted Registry
  • 26.
    26 Restrict Registry Sources $oc edit images.config.openshift.io cluster spec: registrySources: blockedRegistries: - docker.io Example: Restricting Container Registries in OpenShift ● Restrict pulling images from specific registries of your choice
  • 27.
    Container Image ManagementResponsibilities Operations/ Infrastructure admin - Maintain Trusted OS Base Images (RHEL, UBI) - Ensure these are good with Linux Kernel Middleware Engineers/Architects - Maintain Middleware Images - Control build process - S2I, CICD - Reference Architectures with Trusted middleware Development teams - Write code that layers on approved images - Ensure code is clean, open source software vulnerabilities are handled
  • 28.
  • 29.
    Container Scanning Frequency Scan containersas soon as they are created Scan containers that get into enterprise registry Ongoing basis- Identify any new vulnerabilities
  • 30.
    30 Scanning Containers atCreation https://www.youtube.com/watch?v=65BnTLcDAJI Git Repo Nexus Sonar Qube Quay Registry Claire scan
  • 31.
    Scanning Tools Claire scannerwith Red Hat’s Quay BlackDuck JFrog XRay Twistlock Sysdig
  • 32.
  • 33.
    Automating Security Compliancefor Infrastructure OpenSCAP Compliance
  • 34.
    3434 Policy based Governance,Risk and Compliance • Centrally set & enforce policies for security, applications, & infrastructure • Quickly visualize detailed auditing on configuration of apps and clusters • Built-in CIS compliance policies and audit checks • Immediate visibility into your compliance posture based on your defined standards Don’t have to wait for your security team to tap you on the shoulder
  • 35.
  • 37.
    In Kubernetes, containersin pods run with the role assigned to a special user called Service Account
  • 38.
    38 Container Deployment Permissionswith Pod Security Policies (PSP) or with Security Context Constraints (SCC)
  • 39.
  • 40.
    Microsegmentation with NetworkPolicy Objects ● Lock everything by default ● Add Network Policies to allow specific ingress traffic
  • 41.
    SSL at Ingress Edgetermination Passthrough termination Reencrypt
  • 42.
    Specific IP Whitelistsat Ingress - Restrict access to a route to a select IP address(es) - Annotate the route with the whitelisted/allowed IP addresses - Connections from any other IPs are blocked metadata: annotations: haproxy.router.openshift.io/ip_whitelist: 192.168.1.10 192.168.1.11
  • 43.
    Istio Service Meshon OpenShift Connect, Manage, and Secure Microservices, transparently ● Intelligent Routing ● Load Balancing ● Service Resilience ● Telemetry and Reporting ● Policy Enforcement ● Content based Filtering (Layer 7) ● mTLS between services ● East-West traffic control
  • 44.
    End to EndEncryption with Istio Service mesh Uses Service Account as Identity. SPIFFE Id format spiffe://<domain>/ns/<namespace>/sa/<serviceaccount> Mutual TLS between sidecars Istio CA - Generate cert pair and SPIFFE key for each SA - Distribute key and cert pairs - Rotate keys and certs periodically - Revoke key and cert when need
  • 45.
    Secrets to storesensitive data kubernetesMasterConfig: apiServerArguments: experimental-encryption-provider-config: - /path/to/encryption.config
  • 46.
    Egress IP forall traffic from a Project
  • 47.
    Egress Firewall toLimit Access Cluster admin can limit the external addresses accessed by some or all pods from within the cluster Examples: A pod can talk to hosts (outside OpenShift cluster) but cannot connect to public internet A pod can talk to public internet, but cannot connect to hosts (outside OpenShift cluster) A pod cannot reach specific subnets/hosts
  • 48.
    API Management SSL Secrets Connecting toexternal services Summary: Application Security
  • 49.
  • 50.
  • 57.
    57 SELINUX - MAC- MCS - Process system_u:system_r:container_runtime_t:s0 SElinux Policy module for the container The OOTB SElinux policy container.te defines what you can execute and access with the label container_runtime_t [root@osemaster ~]# ps -efZ | grep docker-containerd-shim-current system_u:system_r:container_runtime_t:s0 root 3035 1479 0 Feb15 ? 00:00:01 /usr/bin/docker-containerd-shim-current 4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /var/run/docker/libcontainerd/4d254785cbc6ee7aae8facc48555251e2385f65d89553b319b6324b1501e4b16 /usr/libexec/docker/docker-runc-current
  • 58.
    58 SELINUX - MAC- MCS - Files container_var_lib_t / svirt_sandbox_file_t SElinux Policy module for the container [root@osemaster ~]# ls -lZ /var/lib/docker/containers/97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737 / -rw-r-----. root root system_u:object_r:container_var_lib_t:s0 97de4217a04b6532e312cfb3e4638529aeb7dfa281a2cc067e092fcee82e6737-json.log -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 config.v2.json -rw-rw-rw-. root root system_u:object_r:container_var_lib_t:s0 hostconfig.json -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 hostname -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 hosts -rw-r--r--. root root system_u:object_r:svirt_sandbox_file_t:s0 resolv.conf -rw-r--r--. root root system_u:object_r:container_var_lib_t:s0 resolv.conf.hash drwxr-xr-x. root root system_u:object_r:svirt_sandbox_file_t:s0:c0,c1 secrets drwx------. root root system_u:object_r:container_var_lib_t:s0 shm