book

Container Security

Name: Container Security
Author: Liz Rice
ISBN: 9781492056706

by Liz Rice

April 2020

Intermediate to advanced

198 pages

5h 30m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Who This Book Is ForWhat This Book CoversA Note about KubernetesExamplesHow to Run ContainersFeedbackConventions Used in This BookUsing Code ExamplesO’Reilly Online LearningHow to Contact UsAcknowledgments
1. Container Security Threats
Risks, Threats, and MitigationsContainer Threat ModelSecurity BoundariesMultitenancyShared MachinesVirtualizationContainer MultitenancyContainer InstancesSecurity PrinciplesLeast PrivilegeDefense in DepthReducing the Attack SurfaceLimiting the Blast RadiusSegregation of DutiesApplying Security Principles with ContainersSummary
2. Linux System Calls, Permissions, and Capabilities
System CallsFile Permissionssetuid and setgidLinux CapabilitiesPrivilege EscalationSummary
3. Control Groups
Cgroup HierarchiesCreating CgroupsSetting Resource LimitsAssigning a Process to a CgroupDocker Using CgroupsCgroups V2Summary
4. Container Isolation
Linux NamespacesIsolating the HostnameIsolating Process IDsChanging the Root DirectoryCombine Namespacing and Changing the RootMount NamespaceNetwork NamespaceUser NamespaceUser Namespace Restrictions in DockerInter-process Communications NamespaceCgroup NamespaceContainer Processes from the Host PerspectiveContainer Host MachinesSummary
5. Virtual Machines
Booting Up a MachineEnter the VMMType 1 VMMs, or HypervisorsType 2 VMMKernel-Based Virtual MachinesTrap-and-EmulateHandling Non-Virtualizable InstructionsProcess Isolation and SecurityDisadvantages of Virtual MachinesContainer Isolation Compared to VM IsolationSummary
6. Container Images
Root Filesystem and Image ConfigurationOverriding Config at RuntimeOCI StandardsImage ConfigurationBuilding ImagesThe Dangers of docker buildDaemonless BuildsImage LayersStoring ImagesIdentifying ImagesImage SecurityBuild-Time SecurityProvenance of the DockerfileDockerfile Best Practices for SecurityAttacks on the Build MachineImage Storage SecurityRunning Your Own RegistrySigning ImagesImage Deployment SecurityDeploying the Right ImageMalicious Deployment DefinitionAdmission ControlGitOps and Deployment SecuritySummary
7. Software Vulnerabilities in Images
Vulnerability ResearchVulnerabilities, Patches, and DistributionsApplication-Level VulnerabilitiesVulnerability Risk ManagementVulnerability ScanningInstalled PackagesContainer Image ScanningImmutable ContainersRegular ScanningScanning ToolsSources of InformationOut-of-Date SourcesWon’t Fix VulnerabilitiesSubpackage VulnerabilitiesPackage Name DifferencesAdditional Scanning FeaturesScanner ErrorsScanning in the CI/CD PipelinePrevent Vulnerable Images from RunningZero-Day VulnerabilitiesSummary
8. Strengthening Container Isolation
SeccompAppArmorSELinuxgVisorKata ContainersFirecrackerUnikernelsSummary
9. Breaking Container Isolation
Containers Run as Root by DefaultOverride the User IDRoot Requirement Inside ContainersRootless ContainersThe --privileged Flag and CapabilitiesMounting Sensitive DirectoriesMounting the Docker SocketSharing Namespaces Between a Container and Its HostSidecar ContainersSummary

10. Container Network Security
Container FirewallsOSI Networking ModelSending an IP PacketIP Addresses for ContainersNetwork IsolationLayer 3/4 Routing and RulesiptablesIPVSNetwork PoliciesNetwork Policy SolutionsNetwork Policy Best PracticesService MeshSummary
11. Securely Connecting Components with TLS
Secure ConnectionsX.509 CertificatesPublic/Private Key PairsCertificate AuthoritiesCertificate Signing RequestsTLS ConnectionsSecure Connections Between ContainersCertificate RevocationSummary
12. Passing Secrets to Containers
Secret PropertiesGetting Information into a ContainerStoring the Secret in the Container ImagePassing the Secret Over the NetworkPassing Secrets in Environment VariablesPassing Secrets Through FilesKubernetes SecretsSecrets Are Accessible by RootSummary
13. Container Runtime Protection
Container Image ProfilesNetwork Traffic ProfilesExecutable ProfilesFile Access ProfilesUser ID ProfilesOther Runtime ProfilesContainer Security ToolsDrift PreventionSummary
14. Containers and the OWASP Top 10
InjectionBroken AuthenticationSensitive Data ExposureXML External EntitiesBroken Access ControlSecurity MisconfigurationCross-Site Scripting XSSInsecure DeserializationUsing Components with Known VulnerabilitiesInsufficient Logging and MonitoringSummary
Conclusions
Security Checklist
Index

Content preview from Container Security

Chapter 10. Container Network Security

Every external attack reaches your deployment across a network, so it’s important to understand something about networking in order to consider how to secure your applications and data. This isn’t going to be a comprehensive treatment of everything to do with networking (that would make this book a lot longer!), but it should give you the essentials of a sensible mental model you can use to think about network security in your container deployment.

I’ll start with an overview of container firewalling, which can provide a much more granular approach to network security than traditional firewalling approaches.

Then there is a review of the seven-layer networking model, which is worth knowing about so that you can understand the level a network security feature acts at. With this in place, we will discuss how container firewalling is implemented and look at some best practices for network policy rules. We end the chapter by looking at the network security features of service meshes.

Container Firewalls

Containers often go hand in hand with microservice architectures, where an application is broken into small components that can be deployed independently of each other. This can offer real benefits from a security perspective, because it’s much easier to define what normal behavior looks like in a small component. A given container probably has to communicate with only a limited set of other containers, and only a subset of containers need contact ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Implementing SSL/TLS Using Cryptography and PKI

Publisher Resources

ISBN: 9781492056690Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Container Security

by Liz Rice

Chapter 10. Container Network Security

Container Firewalls

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.