book

Container Security

Name: Container Security
Author: Liz Rice
ISBN: 9781492056706

by Liz Rice

April 2020

Intermediate to advanced

198 pages

5h 30m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who This Book Is ForWhat This Book CoversA Note about KubernetesExamplesHow to Run ContainersFeedbackConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Container Security Threats
Risks, Threats, and MitigationsContainer Threat ModelSecurity BoundariesMultitenancyShared MachinesVirtualizationContainer MultitenancyContainer InstancesSecurity PrinciplesLeast PrivilegeDefense in DepthReducing the Attack SurfaceLimiting the Blast RadiusSegregation of DutiesApplying Security Principles with ContainersSummary
2. Linux System Calls, Permissions, and Capabilities
System CallsFile Permissionssetuid and setgidLinux CapabilitiesPrivilege EscalationSummary
3. Control Groups
Cgroup HierarchiesCreating CgroupsSetting Resource LimitsAssigning a Process to a CgroupDocker Using CgroupsCgroups V2Summary
4. Container Isolation
Linux NamespacesIsolating the HostnameIsolating Process IDsChanging the Root DirectoryCombine Namespacing and Changing the RootMount NamespaceNetwork NamespaceUser NamespaceUser Namespace Restrictions in DockerInter-process Communications NamespaceCgroup NamespaceContainer Processes from the Host PerspectiveContainer Host MachinesSummary
5. Virtual Machines
Booting Up a MachineEnter the VMMType 1 VMMs, or HypervisorsType 2 VMMKernel-Based Virtual MachinesTrap-and-EmulateHandling Non-Virtualizable InstructionsProcess Isolation and SecurityDisadvantages of Virtual MachinesContainer Isolation Compared to VM IsolationSummary
6. Container Images
Root Filesystem and Image ConfigurationOverriding Config at RuntimeOCI StandardsImage ConfigurationBuilding ImagesThe Dangers of docker buildDaemonless BuildsImage LayersStoring ImagesIdentifying ImagesImage SecurityBuild-Time SecurityProvenance of the DockerfileDockerfile Best Practices for SecurityAttacks on the Build MachineImage Storage SecurityRunning Your Own RegistrySigning ImagesImage Deployment SecurityDeploying the Right ImageMalicious Deployment DefinitionAdmission ControlGitOps and Deployment SecuritySummary
7. Software Vulnerabilities in Images
Vulnerability ResearchVulnerabilities, Patches, and DistributionsApplication-Level VulnerabilitiesVulnerability Risk ManagementVulnerability ScanningInstalled PackagesContainer Image ScanningImmutable ContainersRegular ScanningScanning ToolsSources of InformationOut-of-Date SourcesWon’t Fix VulnerabilitiesSubpackage VulnerabilitiesPackage Name DifferencesAdditional Scanning FeaturesScanner ErrorsScanning in the CI/CD PipelinePrevent Vulnerable Images from RunningZero-Day VulnerabilitiesSummary
8. Strengthening Container Isolation
SeccompAppArmorSELinuxgVisorKata ContainersFirecrackerUnikernelsSummary
9. Breaking Container Isolation
Containers Run as Root by DefaultOverride the User IDRoot Requirement Inside ContainersRootless ContainersThe --privileged Flag and CapabilitiesMounting Sensitive DirectoriesMounting the Docker SocketSharing Namespaces Between a Container and Its HostSidecar ContainersSummary

10. Container Network Security
Container FirewallsOSI Networking ModelSending an IP PacketIP Addresses for ContainersNetwork IsolationLayer 3/4 Routing and RulesiptablesIPVSNetwork PoliciesNetwork Policy SolutionsNetwork Policy Best PracticesService MeshSummary
11. Securely Connecting Components with TLS
Secure ConnectionsX.509 CertificatesPublic/Private Key PairsCertificate AuthoritiesCertificate Signing RequestsTLS ConnectionsSecure Connections Between ContainersCertificate RevocationSummary
12. Passing Secrets to Containers
Secret PropertiesGetting Information into a ContainerStoring the Secret in the Container ImagePassing the Secret Over the NetworkPassing Secrets in Environment VariablesPassing Secrets Through FilesKubernetes SecretsSecrets Are Accessible by RootSummary
13. Container Runtime Protection
Container Image ProfilesNetwork Traffic ProfilesExecutable ProfilesFile Access ProfilesUser ID ProfilesOther Runtime ProfilesContainer Security ToolsDrift PreventionSummary
14. Containers and the OWASP Top 10
InjectionBroken AuthenticationSensitive Data ExposureXML External EntitiesBroken Access ControlSecurity MisconfigurationCross-Site Scripting XSSInsecure DeserializationUsing Components with Known VulnerabilitiesInsufficient Logging and MonitoringSummary
Conclusions
Security Checklist
Index

Overview

To facilitate scalability and resilience, many organizations now run applications in cloud native environments using containers and orchestration. But how do you know if the deployment is secure? This practical book examines key underlying technologies to help developers, operators, and security professionals assess security risks and determine appropriate solutions.

Author Liz Rice, Chief Open Source Officer at Isovalent, looks at how the building blocks commonly used in container-based systems are constructed in Linux. You'll understand what's happening when you deploy containers and learn how to assess potential security risks that could affect your deployments. If you run container applications with kubectl or docker and use Linux command-line tools such as ps and grep, you're ready to get started.

Explore attack vectors that affect container deployments
Dive into the Linux constructs that underpin containers
Examine measures for hardening containers
Understand how misconfigurations can compromise container isolation
Learn best practices for building container images
Identify container images that have known software vulnerabilities
Leverage secure connections between containers
Use security tooling to prevent attacks on your deployment

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Implementing SSL/TLS Using Cryptography and PKI

Publisher Resources

ISBN: 9781492056690Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills