niggl/kubecon25
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
kubecon25/content/day-1/01_container-security.md
Nicolai Ort 46b06c66fd
All checks were successful
Build latest image / build-container (push) Successful in 49s
Details
docs: Added slides button to all pages
2025-04-02 13:21:27 +02:00

58 lines
2.0 KiB
Markdown
Raw Blame History

---
title: What I wish i knew about container security
weight: 1
tags:
- rejekts
- security
---
<!-- {{% button href="https://youtu.be/rkteV6Mzjfs" style="warning" icon="video" %}}Watch talk on YouTube{{% /button %}} -->
<!-- {{% button href="https://docs.google.com/presentation/d/1nEK0CVC_yQgIDqwsdh-PRihB6dc9RyT-" style="tip" icon="person-chalkboard" %}}Slides{{% /button %}} -->
## BAseline
- Linux is like a hammer and containers look a lot like nails
- Containers aren't real: They are just processes with besser isolation
- IPTables is complicates
### Hard parts
- The kernel is shared we only predent to seperate processes through namespaces
- Filesystems: Containers bring a bunch of filesystems and sharing filesystems between multiple containers
- Softlinks are hard to do right because they point to a path and not the data itself
### How did we get here?
1. Unix with a buch of tools we still use
2. Linux (originally designed to for the desktop)
3. Kernel gets iptables
4. The rist concept of namespaces
5. More hypervisor stuff and official user namespaces
6. Containers (first lxc then docker)
## Sandboxing
- In browsers: They must protect the user from malicious content
- In containers: PRetty much the same - both run untrusted code that has to be isolated
## Namespaces
- Better isolation from other processes including resource constraints
- But: The shared kernel interacts with all processes (so kernel bugs can affect all namespaces)
![](../_imgs/namespaces.png)
## Improvements
- Secure Computing: Implement a secure state that we transition into before the process actually does stuff
- Paravirtualization: Instead of system calls to a shared kernel we make hyper-calls to the hypervisor
- Virtualization: The classic virtualization where everyone hosts their own kernel
## Stuff to look out for
> More or less a bit of advertisement
- Edera: Container native hypervisor without a shared kernel
- Styrolite: Rust-based container runtime sandbox
- eBPF and Tetragon for prevention and monitoring
Reference in New Issue View Git Blame Copy Permalink