Container Security

Book Description

To facilitate scalability and resilience, many organizations now run applications in cloud native environments using containers and orchestration. But how do you know if the deployment is secure? This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions.

Author Liz Rice, VP of open source engineering at Aqua Security, looks at how the building blocks commonly used in container-based systems are constructed in Linux. You’ll understand what’s happening when you deploy containers and learn how to assess potential security risks that could affect your deployments. If you run container applications with kubectl or docker and use Linux command-line tools such as ps and grep, you’re ready to get started.

  • Explore attack vectors that affect container deployments
  • Dive into the Linux constructs that underpin containers
  • Examine measures for hardening containers
  • Understand how misconfigurations can compromise container isolation
  • Learn best practices for building container images
  • Identify container images that have known software vulnerabilities
  • Leverage secure connections between containers
  • Use security tooling to prevent attacks on your deployment

Publisher Resources

View/Submit Errata

Table of Contents

  1. Preface
    1. Who This Book Is For
    2. What This Book Covers
    3. A Note about Kubernetes
    4. Examples
    5. How to Run Containers
    6. Feedback
    7. Conventions Used in This Book
    8. Using Code Examples
    9. O’Reilly Online Learning
    10. How to Contact Us
    11. Acknowledgments
  2. 1. Container Security Threats
    1. Risks, Threats, and Mitigations
    2. Container Threat Model
    3. Security Boundaries
    4. Multitenancy
      1. Shared Machines
      2. Virtualization
      3. Container Multitenancy
      4. Container Instances
    5. Security Principles
      1. Least Privilege
      2. Defense in Depth
      3. Reducing the Attack Surface
      4. Limiting the Blast Radius
      5. Segregation of Duties
      6. Applying Security Principles with Containers
    6. Summary
  3. 2. Linux System Calls, Permissions, and Capabilities
    1. System Calls
    2. File Permissions
      1. setuid and setgid
    3. Linux Capabilities
    4. Privilege Escalation
    5. Summary
  4. 3. Control Groups
    1. Cgroup Hierarchies
    2. Creating Cgroups
    3. Setting Resource Limits
    4. Assigning a Process to a Cgroup
    5. Docker Using Cgroups
    6. Cgroups V2
    7. Summary
  5. 4. Container Isolation
    1. Linux Namespaces
    2. Isolating the Hostname
    3. Isolating Process IDs
    4. Changing the Root Directory
    5. Combine Namespacing and Changing the Root
    6. Mount Namespace
    7. Network Namespace
    8. User Namespace
      1. User Namespace Restrictions in Docker
    9. Inter-process Communications Namespace
    10. Cgroup Namespace
    11. Container Processes from the Host Perspective
    12. Container Host Machines
    13. Summary
  6. 5. Virtual Machines
    1. Booting Up a Machine
    2. Enter the VMM
      1. Type 1 VMMs, or Hypervisors
      2. Type 2 VMM
      3. Kernel-Based Virtual Machines
    3. Trap-and-Emulate
    4. Handling Non-Virtualizable Instructions
    5. Process Isolation and Security
    6. Disadvantages of Virtual Machines
    7. Container Isolation Compared to VM Isolation
    8. Summary
  7. 6. Container Images
    1. Root Filesystem and Image Configuration
    2. Overriding Config at Runtime
    3. OCI Standards
    4. Image Configuration
    5. Building Images
      1. The Dangers of docker build
      2. Daemonless Builds
      3. Image Layers
    6. Storing Images
    7. Identifying Images
    8. Image Security
    9. Build-Time Security
      1. Provenance of the Dockerfile
      2. Dockerfile Best Practices for Security
      3. Attacks on the Build Machine
    10. Image Storage Security
      1. Running Your Own Registry
      2. Signing Images
    11. Image Deployment Security
      1. Deploying the Right Image
      2. Malicious Deployment Definition
      3. Admission Control
    12. GitOps and Deployment Security
    13. Summary
  8. 7. Software Vulnerabilities in Images
    1. Vulnerability Research
    2. Vulnerabilities, Patches, and Distributions
    3. Application-Level Vulnerabilities
    4. Vulnerability Risk Management
    5. Vulnerability Scanning
    6. Installed Packages
    7. Container Image Scanning
      1. Immutable Containers
      2. Regular Scanning
    8. Scanning Tools
      1. Sources of Information
      2. Out-of-Date Sources
      3. Won’t Fix Vulnerabilities
      4. Subpackage Vulnerabilities
      5. Package Name Differences
      6. Additional Scanning Features
      7. Scanner Errors
    9. Scanning in the CI/CD Pipeline
    10. Prevent Vulnerable Images from Running
    11. Zero-Day Vulnerabilities
    12. Summary
  9. 8. Strengthening Container Isolation
    1. Seccomp
    2. AppArmor
    3. SELinux
    4. gVisor
    5. Kata Containers
    6. Firecracker
    7. Unikernels
    8. Summary
  10. 9. Breaking Container Isolation
    1. Containers Run as Root by Default
      1. Override the User ID
      2. Root Requirement Inside Containers
      3. Rootless Containers
    2. The --privileged Flag and Capabilities
    3. Mounting Sensitive Directories
    4. Mounting the Docker Socket
    5. Sharing Namespaces Between a Container and Its Host
    6. Sidecar Containers
    7. Summary
  11. 10. Container Network Security
    1. Container Firewalls
    2. OSI Networking Model
    3. Sending an IP Packet
    4. IP Addresses for Containers
    5. Network Isolation
    6. Layer 3/4 Routing and Rules
      1. iptables
      2. IPVS
    7. Network Policies
      1. Network Policy Solutions
      2. Network Policy Best Practices
    8. Service Mesh
    9. Summary
  12. 11. Securely Connecting Components with TLS
    1. Secure Connections
    2. X.509 Certificates
      1. Public/Private Key Pairs
      2. Certificate Authorities
      3. Certificate Signing Requests
    3. TLS Connections
    4. Secure Connections Between Containers
    5. Certificate Revocation
    6. Summary
  13. 12. Passing Secrets to Containers
    1. Secret Properties
    2. Getting Information into a Container
      1. Storing the Secret in the Container Image
      2. Passing the Secret Over the Network
      3. Passing Secrets in Environment Variables
      4. Passing Secrets Through Files
    3. Kubernetes Secrets
    4. Secrets Are Accessible by Root
    5. Summary
  14. 13. Container Runtime Protection
    1. Container Image Profiles
      1. Network Traffic Profiles
      2. Executable Profiles
      3. File Access Profiles
      4. User ID Profiles
      5. Other Runtime Profiles
      6. Container Security Tools
    2. Drift Prevention
    3. Summary
  15. 14. Containers and the OWASP Top 10
    1. Injection
    2. Broken Authentication
    3. Sensitive Data Exposure
    4. XML External Entities
    5. Broken Access Control
    6. Security Misconfiguration
    7. Cross-Site Scripting XSS
    8. Insecure Deserialization
    9. Using Components with Known Vulnerabilities
    10. Insufficient Logging and Monitoring
    11. Summary
  16. Conclusions
  17. Security Checklist
  18. Index

Product Information

  • Title: Container Security
  • Author(s): Liz Rice
  • Release date: April 2020
  • Publisher(s): O'Reilly Media, Inc.
  • ISBN: 9781492056706