Container Security: Fundamental Technology Concepts that Protect Containerized Applications [1 ed.] 1492056707, 9781492056706

Table of contents :
Cover
Copyright
Table of Contents
Preface
Who This Book Is For
What This Book Covers
A Note about Kubernetes
Examples
How to Run Containers
Feedback
Conventions Used in This Book
Using Code Examples
O’Reilly Online Learning
How to Contact Us
Acknowledgments
Chapter 1. Container Security Threats
Risks, Threats, and Mitigations
Container Threat Model
Security Boundaries
Multitenancy
Shared Machines
Virtualization
Container Multitenancy
Container Instances
Security Principles
Least Privilege
Defense in Depth
Reducing the Attack Surface
Limiting the Blast Radius
Segregation of Duties
Applying Security Principles with Containers
Summary
Chapter 2. Linux System Calls, Permissions, and Capabilities
System Calls
File Permissions
setuid and setgid
Linux Capabilities
Privilege Escalation
Summary
Chapter 3. Control Groups
Cgroup Hierarchies
Creating Cgroups
Setting Resource Limits
Assigning a Process to a Cgroup
Docker Using Cgroups
Cgroups V2
Summary
Chapter 4. Container Isolation
Linux Namespaces
Isolating the Hostname
Isolating Process IDs
Changing the Root Directory
Combine Namespacing and Changing the Root
Mount Namespace
Network Namespace
User Namespace
User Namespace Restrictions in Docker
Inter-process Communications Namespace
Cgroup Namespace
Container Processes from the Host Perspective
Container Host Machines
Summary
Chapter 5. Virtual Machines
Booting Up a Machine
Enter the VMM
Type 1 VMMs, or Hypervisors
Type 2 VMM
Kernel-Based Virtual Machines
Trap-and-Emulate
Handling Non-Virtualizable Instructions
Process Isolation and Security
Disadvantages of Virtual Machines
Container Isolation Compared to VM Isolation
Summary
Chapter 6. Container Images
Root Filesystem and Image Configuration
Overriding Config at Runtime
OCI Standards
Image Configuration
Building Images
The Dangers of docker build
Daemonless Builds
Image Layers
Storing Images
Identifying Images
Image Security
Build-Time Security
Provenance of the Dockerfile
Dockerfile Best Practices for Security
Attacks on the Build Machine
Image Storage Security
Running Your Own Registry
Signing Images
Image Deployment Security
Deploying the Right Image
Malicious Deployment Definition
Admission Control
GitOps and Deployment Security
Summary
Chapter 7. Software Vulnerabilities in Images
Vulnerability Research
Vulnerabilities, Patches, and Distributions
Application-Level Vulnerabilities
Vulnerability Risk Management
Vulnerability Scanning
Installed Packages
Container Image Scanning
Immutable Containers
Regular Scanning
Scanning Tools
Sources of Information
Out-of-Date Sources
Won’t Fix Vulnerabilities
Subpackage Vulnerabilities
Package Name Differences
Additional Scanning Features
Scanner Errors
Scanning in the CI/CD Pipeline
Prevent Vulnerable Images from Running
Zero-Day Vulnerabilities
Summary
Chapter 8. Strengthening Container Isolation
Seccomp
AppArmor
SELinux
gVisor
Kata Containers
Firecracker
Unikernels
Summary
Chapter 9. Breaking Container Isolation
Containers Run as Root by Default
Override the User ID
Root Requirement Inside Containers
Rootless Containers
The --privileged Flag and Capabilities
Mounting Sensitive Directories
Mounting the Docker Socket
Sharing Namespaces Between a Container and Its Host
Sidecar Containers
Summary
Chapter 10. Container Network Security
Container Firewalls
OSI Networking Model
Sending an IP Packet
IP Addresses for Containers
Network Isolation
Layer 3/4 Routing and Rules
iptables
IPVS
Network Policies
Network Policy Solutions
Network Policy Best Practices
Service Mesh
Summary
Chapter 11. Securely Connecting Components with TLS
Secure Connections
X.509 Certificates
Public/Private Key Pairs
Certificate Authorities
Certificate Signing Requests
TLS Connections
Secure Connections Between Containers
Certificate Revocation
Summary
Chapter 12. Passing Secrets to Containers
Secret Properties
Getting Information into a Container
Storing the Secret in the Container Image
Passing the Secret Over the Network
Passing Secrets in Environment Variables
Passing Secrets Through Files
Kubernetes Secrets
Secrets Are Accessible by Root
Summary
Chapter 13. Container Runtime Protection
Container Image Profiles
Network Traffic Profiles
Executable Profiles
File Access Profiles
User ID Profiles
Other Runtime Profiles
Container Security Tools
Drift Prevention
Summary
Chapter 14. Containers and the OWASP Top 10
Injection
Broken Authentication
Sensitive Data Exposure
XML External Entities
Broken Access Control
Security Misconfiguration
Cross-Site Scripting XSS
Insecure Deserialization
Using Components with Known Vulnerabilities
Insufficient Logging and Monitoring
Summary
Conclusions
Security Checklist
Index
About the Author
Colophon

Polecaj historie

Container Security: Fundamental Technology Concepts that Protect Containerized Applications [1 ed.] 1492056707, 9781492056706

To facilitate scalability and resilience, many organizations now run applications in cloud native environments using con

4,413 737 8MB Read more

Pharmaceutical Technology: Fundamental Pharmaceutics

3,042 396 68MB Read more

Nanoparticles for Biomedical Applications: Fundamental Concepts, Biological Interactions and Clinical Applications [1 ed.] 0128166622, 9780128166628

Nanoparticles for Biomedical Applications: Fundamental Concepts, Biological Interactions and Clinical Applications bring

1,310 153 13MB Read more

Cryptocurrency Concepts, Technology, and Applications [1 ed.] 1032324414, 9781032324418

Whether the source is more industry-based or academic research, there certainly appears to be a growing interest in the

602 92 5MB Read more

Fundamental Concepts of Language Teaching 1774072661, 9781774072660

Fundamental Concepts of Language Teaching discusses the basics of teaching a language, concept of learning and teaching

5,807 560 6MB Read more

Anticorrosive Coatings: Fundamental and New Concepts 9783748602194

This eBook brings together all the disciplines involved in the creation and use of corrosion protection coatings for met

175 10 18MB Read more

Fundamental concepts of inorganic chemistry [7] 9789389017564

book for inorganic spectroscopic analysis

4,703 509 65MB Read more

Fundamental mass transfer concepts in engineering applications 9781315148069, 1315148064, 9781351374606, 1351374605, 9781351374613, 1351374613, 9781351374620, 1351374621, 9781138552272

Fundamental Mass Transfer Concepts in Engineering Applications provides the basic principles of mass transfer to upper u

909 293 10MB Read more

Fundamental Concepts in Linguistics 9643671313, 9789643671310

467 126 9MB Read more

Security for Containers and Kubernetes: Learn how to implement robust security measures in containerized environments

A practical guide to hardening containers and securing Kubernetes deployments. Key Features: - Learn how to develop a c

397 89 112MB Read more