containers and security: a match made in cyberspace · containers while maintaining the built-in...
TRANSCRIPT
CONTAINERS AND SECURITY:A MATCH MADE IN CYBERSPACE
Ted BrunellChief Architect, DoD ProgramsPrincipal Solutions [email protected]@DoDCloudGuy
"The views expressed in this presentation are those of the author(s) and do not necessarily reflect the official policy or position of the Air Force, the Department of Defense, or the U.S.
Government."
2
3
CONTAINERS CHANGE HOW WE DEVELOP, DEPLOY AND MANAGE APPLICATIONS
INFRASTRUCTURE APPLICATIONS
● Application processes on a shared kernel
● Simpler, lighter, and denser than VMs
● Portable across different environments
● Package apps with all dependencies
● Deploy to any environment in seconds
● Easily accessed and shared
4
THEY ALSO CHANGE HOW WE SECURE OUR WORKLOADS
AUTOMATED & INTEGRATED SECURITY
5
Container Content
Container Registry
CI/CD Pipeline
Deployment Policies
Security Ecosystem
Container Host Multi-tenancyContainer Platform
Network Isolation Storage
Audit & Logging API Management
DEFENDInfrastructure
EXTEND
CONTROLApplication Security
CONTROLSecure the Pipeline & the Applications
Container Content
Container Registry
CI/CD Pipeline
Deployment Policies
7
IT STARTS WITH TRUSTED SOURCES
CONTAINER HEALTH CHECKS
https://access.redhat.com/containers/8
SECURE CONTAINER LIFECYCLE
9
TRUSTEDIMAGE
REGISTRY
KUBERNETESCLUSTER
DEVELOPER GIT SERVER ARTIFACT REPOSITORY
CI/CD PIPELINE (JENKINS)
IMAGE BUILD & DEPLOY
TRUSTEDIMAGEREGISTRY
KUBERNETESCLUSTER
GOLIVE?PROMOTE
TO TESTPROMOTE
TO UATPROMOTETO PROD
RELEASE MANAGER
NON-PROD PRODDEV TEST UAT
10
DEPLOYOPERATEMONITORSCALEADAPT
PLAN CREATE BUILD TEST SECURE
AUTOMATING DEVOPS AND
DEPLOYMENT POLICIES
11
DESIGN FOR SEPARATION OF CONCERNS
CORE IMAGE
IT Operations
CORE IMAGE
MIDDLEWARE
Architects
CORE IMAGE
MIDDLEWARE
APPLICATION
Application
Developers
DEFENDSecure the Infrastructure
Container Host Multi-tenancyContainer Platform
Network Isolation Storage
Audit & Logging API Management
RED HAT ENTERPRISE LINUX ATOMIC HOST
Minimized host environment tuned for running Linux containers while maintaining the built-in security features of Red Hat Enterprise Linux.
A stable, reliable host environment with built-in security features that allow you to isolate containers from other containers and from the kernel.
THE OS MATTERS:CONTAINER HOST & MULTI-TENANCY
SELinux kernel namespaces cgroups seccomp
RED HAT ENTERPRISE LINUX
THE FOUNDATION FOR SECURE, SCALABLE CONTAINERS
capabilities
13
14
● Role-based Access Controls with LDAP and OAuth integration
● Secure communication● Platform multi-tenant security● Integrated & extensible secrets
management● Logging, Monitoring, Metrics● Consistency across multiple
infrastructures
RHEL
NODE
c
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
C
C
C C
C
C
C CC C
RED HATENTERPRISE LINUX
MASTER
API/AUTHENTICATION
DATA STORE
SCHEDULER
HEALTH/SCALING
SECURING THE CONTAINER PLATFORM
PERSISTENTSTORAGE
REGISTRY
PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
15
NODE
MASTER● Secure mechanism for holding sensitive data e.g.
○ Passwords and credentials
○ SSH Keys
○ Certificates
● Secrets are made available as
○ Environment variables
○ Volume mounts
○ Interaction with external systems
● Encrypted in transit and at rest
● Never rest on the nodes
Container
Distributed Store
Container
SECRETS MANAGEMENT
16
● Aggregate logs for hosts and applications
● Access control
○ Cluster administrators can view all logs
○ Users can view logs for their projects
● Ability to send logs elsewhere
○ External elasticsearch, Splunk, etc
LOGGING and AUDITING
17
CONTAINER METRICS
● Multi-tenant Network Support
○ Project-level network isolation
○ Multicast support
○ Egress network policies
● Network Policy
○ Granular policy-based isolation
18
NETWORK DEFENSE
NODE
POD POD
PODPOD
NODE
POD POD
PODPOD
PROJECT A PROJECT B
DEFAULT NAMESPACE
✓
PROJECT C
19
NETWORK POLICY: FINE GRAINED ISOLATION
PROJECT A
POD
POD
POD
POD
PROJECT B
POD
POD
POD
POD
Example Policies
● Allow all traffic inside the project
● Allow traffic from green to gray
● Allow traffic to purple on 8080
✓
✓
8080
5432
✓
apiVersion: extensions/v1beta1kind: NetworkPolicymetadata:
name: allow-to-purple-on-8080spec:
podSelector:matchLabels:
color: purpleingress:- ports:
- protocol: tcpport: 8080
✓
20
Secure storage by using
● SELinux Mandatory Access Controls
● Secure mounts
● Supplemental group IDs for shared storage
ATTACHED STORAGE
RHEL
NODE
c
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
RHEL
NODE
C
C
C C
C
C
C CC C
RED HATENTERPRISE LINUX
MASTER
API/AUTHENTICATION
DATA STORE
SCHEDULER
HEALTH/SCALING
PERSISTENTSTORAGE
REGISTRY
PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
● Authentication and authorization
● LDAP integration
● End-point access controls
● Rate limiting
API MANAGEMENT
21
EXTENDLeverage the Ecosystem
For enhanced security, or to meet existing policies, integrate with enterprise security tools, such as
● Identity and Access Management / Privileged Access Management
● External Certificate Authorities
● External Vaults / Key Management solutions
● External Hardware Security Modules (HSM)
● Filesystem encryption tools
● Container content scanners & vulnerability management tools
● Container runtime analysis tools
● Security Information and Event Monitoring (SIEM)
THE SECURITY ECOSYSTEM
23
24
Sysdig
NGINX
Cisco ContivAporeto
Sonatype
Black Duck
TremoloTigera
Twistlock
LOOKING INTO THE NOT SO DISTANT FUTURE
26
CONTAINER CHALLENGESEnterprise Build, Pipeline and Runtime concerns
● Supply chain needs further security policy services
● Microservices have special networking and governance needs
● Build and runtime tools and services need decoupling
CI/CD Pipeline
27
Build QA
Grafeas
(Metadata Attestation
Findings)
Kritis
Deploy Time
Policy
“Bob can start a
build but Alice
must certify for
production”
“I only want to
run scanned code
that has been QA
certified”
“Do I have any running
jobs that are affected
by this new
vulnerability” “I want to see a full
compliance summary of
all deployed
components”
Production
ATTESTATION OF SECURITY POLICY
Grafeas (Scribe) and Kritis (Judge)
Test Scan Analysis
28
ISTIO AND MICROSERVICESConnect, manage, and secure microservices.
● Collaborative offert between Red Hat, Google Cloud and IBM○ Sidecar container with the features and functions for
creating and managing microservices
○ Monitoring○ Tracing○ circuit breakers○ Routing○ load balancing○ fault injection
○ Retries○ Timeouts○ Mirroring○ Access control○ Rate limiting○ ...And more
v1.0 ANNOUNCED 07/31/2018!
29
● OCI-compliant, daemon-less tool for
building/modifying OCI/Docker images.
● Enables fine-grain control over the commands
and content of each image layer
● Container host utils. can optionally be leveraged
as part of the build
● Can use a Dockerfile
● Shares the underlying image and storage
components with CRI-O
● A lightweight, OCI-compliant container
runtime designed for Kubernetes
● Runs any OCI / Docker container from any
OCI / Docker registry
● Focus on stability and life cycle with the
platform
● Improve container security & performance
at scale
OCI BASED INNOVATION
Self-Service
Red Hat Enterprise Linux
Container Runtime & Packaging
DEFENDInfrastructure
EXTEND
CONTROLApplication Security
30
EXISTING AUTOMATION
TOOLSETS
SCM(GIT)
CI/CD
SERVICE LAYER
ROUTING LAYER
PERSISTENT
STORAGE
REGISTRY
RHEL
NODE
C
C
RHEL
NODE
C C
RHEL
NODE
c
C
C
RHEL
NODE
C C
RHEL
NODE
C
RHEL
NODE
CRED HATENTERPRISE LINUX
MASTER
API/AUTHENTICATION
DATA STORE
SCHEDULER
HEALTH/SCALING
PHYSICAL VIRTUAL PRIVATE PUBLIC HYBRID
BRINGING IT ALL TOGETHER
THANK YOU
31