book

Container Security

by Liz Rice

April 2020

Intermediate to advanced

198 pages

5h 30m

English

O'Reilly Media, Inc.

Book available

Read now

Unlock full access

Who This Book Is ForWhat This Book CoversA Note about KubernetesExamplesHow to Run ContainersFeedbackConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
Risks, Threats, and MitigationsContainer Threat ModelSecurity BoundariesMultitenancyShared MachinesVirtualizationContainer MultitenancyContainer InstancesSecurity PrinciplesLeast PrivilegeDefense in DepthReducing the Attack SurfaceLimiting the Blast RadiusSegregation of DutiesApplying Security Principles with ContainersSummary
System CallsFile Permissionssetuid and setgidLinux CapabilitiesPrivilege EscalationSummary
Cgroup HierarchiesCreating CgroupsSetting Resource LimitsAssigning a Process to a CgroupDocker Using CgroupsCgroups V2Summary
Linux NamespacesIsolating the HostnameIsolating Process IDsChanging the Root DirectoryCombine Namespacing and Changing the RootMount NamespaceNetwork NamespaceUser NamespaceUser Namespace Restrictions in DockerInter-process Communications NamespaceCgroup NamespaceContainer Processes from the Host PerspectiveContainer Host MachinesSummary
Booting Up a MachineEnter the VMMType 1 VMMs, or HypervisorsType 2 VMMKernel-Based Virtual MachinesTrap-and-EmulateHandling Non-Virtualizable InstructionsProcess Isolation and SecurityDisadvantages of Virtual MachinesContainer Isolation Compared to VM IsolationSummary
Root Filesystem and Image ConfigurationOverriding Config at RuntimeOCI StandardsImage ConfigurationBuilding ImagesThe Dangers of docker buildDaemonless BuildsImage LayersStoring ImagesIdentifying ImagesImage SecurityBuild-Time SecurityProvenance of the DockerfileDockerfile Best Practices for SecurityAttacks on the Build MachineImage Storage SecurityRunning Your Own RegistrySigning ImagesImage Deployment SecurityDeploying the Right ImageMalicious Deployment DefinitionAdmission ControlGitOps and Deployment SecuritySummary
Vulnerability ResearchVulnerabilities, Patches, and DistributionsApplication-Level VulnerabilitiesVulnerability Risk ManagementVulnerability ScanningInstalled PackagesContainer Image ScanningImmutable ContainersRegular ScanningScanning ToolsSources of InformationOut-of-Date SourcesWon’t Fix VulnerabilitiesSubpackage VulnerabilitiesPackage Name DifferencesAdditional Scanning FeaturesScanner ErrorsScanning in the CI/CD PipelinePrevent Vulnerable Images from RunningZero-Day VulnerabilitiesSummary
SeccompAppArmorSELinuxgVisorKata ContainersFirecrackerUnikernelsSummary
Containers Run as Root by DefaultOverride the User IDRoot Requirement Inside ContainersRootless ContainersThe --privileged Flag and CapabilitiesMounting Sensitive DirectoriesMounting the Docker SocketSharing Namespaces Between a Container and Its HostSidecar ContainersSummary

Container FirewallsOSI Networking ModelSending an IP PacketIP Addresses for ContainersNetwork IsolationLayer 3/4 Routing and RulesiptablesIPVSNetwork PoliciesNetwork Policy SolutionsNetwork Policy Best PracticesService MeshSummary
Secure ConnectionsX.509 CertificatesPublic/Private Key PairsCertificate AuthoritiesCertificate Signing RequestsTLS ConnectionsSecure Connections Between ContainersCertificate RevocationSummary
Secret PropertiesGetting Information into a ContainerStoring the Secret in the Container ImagePassing the Secret Over the NetworkPassing Secrets in Environment VariablesPassing Secrets Through FilesKubernetes SecretsSecrets Are Accessible by RootSummary
Container Image ProfilesNetwork Traffic ProfilesExecutable ProfilesFile Access ProfilesUser ID ProfilesOther Runtime ProfilesContainer Security ToolsDrift PreventionSummary
InjectionBroken AuthenticationSensitive Data ExposureXML External EntitiesBroken Access ControlSecurity MisconfigurationCross-Site Scripting XSSInsecure DeserializationUsing Components with Known VulnerabilitiesInsufficient Logging and MonitoringSummary

Content preview from Container Security

Chapter 1. Container Security Threats

In the last few years, the use of containers has exploded. The concepts around containers existed for several years before Docker, but most observers agree that it was Docker’s easy-to-use command-line tools that started to popularize containers among the developer community from its launch in 2013.

Containers bring many advantages: as described in Docker’s original tagline, they allow you to “build once, run anywhere.” They do this by bundling together an application and all its dependencies and isolating the application from the rest of the machine it’s running on. The containerized application has everything it needs, and it is easy to package up as a container image that will run the same on my laptop and yours, or in a server in a data center.

A knock-on effect of this isolation is that you can run multiple different containers side by side without them interfering with each other. Before containers, you could easily end up with a dependency nightmare where two applications required different versions of the same packages. The easiest solution to this problem was simply to run the applications on separate machines. With containers, the dependencies are isolated from each other so it becomes straightforward to run multiple apps on the same server. People quickly realized that they could take advantage of containerization to run multiple applications on the same host (whether it’s a virtual machine or a bare-metal server) without having ...