Published: Nov. 6, 2017, 5 a.m.
b'
Show: 14
Show Overview: Brian and Tyler talk address some of the many layers of security required in a container environment. This show will be part of a series on container and Kubernetes security. They look at security requirement in the Container Host, Container Content, Container Registry, and Software Build Processes.
\\xa0
\\xa0Show Notes and News:
Topic 1 - Let\\u2019s start at the bottom of the stack with the security needed on a container host.
- Linux namespaces - isolation\\xa0
- Linux capabilities and SECCOMP - restrict routes, ports, limiting process calls\\xa0
- SELinux (or AppArmor) - mandatory access controls\\xa0
- cGroups - resource management
Topic 2 - Next in the stack, or outside the stack, is the sources of container content.
- Trusted sources (known registries vs. public registries (e.g. DockerHub)\\xa0
- Scanning the content of containers\\xa0
- Managing the versions, patches of container content
Topic 3 - Once we have the content (applications), we need a secure place to store and access it - container registries.
- Making a registry highly-available\\xa0
- Who manages and audits the registry?\\xa0
- How to scan container within a container?\\xa0
- How to cryptographically sign images?\\xa0
- Identifying known registries\\xa0
- Process for managing the content in a registry (tagging, versioning/naming, etc)\\xa0
- Automated policies (patch management, getting new content, etc.)\\xa0
Topic 4 - Once we have secure content (building blocks) and a secure place to store the container images, we need to think about a secure supply chain of the software - the build process.
- Does a platform require containers, or can it accept code? Can it manage secure builds?\\xa0
- How to build automated triggers for builds? How to audit those triggers (webhooks, etc.)?\\xa0
- How to validate / scan / test code at different stages of a pipeline? (static analysis, dynamic analysis, etc.)\\xa0
- How to promote images to a platform? (automated, manual promotion, etc.)
Feedback?
'