Container Security: So Many Options, Use Them All!
Linux Containers have become a new standard in the rapidly changing software industry. It’s important to note that the convenience in packaging and runtime isolation that containers provide have security consequences that are often overlooked. For instance, running privileged containers allows full root privileges on the host. Also, many users don't realize you can shrink the attack surface of a running container by following some common sense practices to build minimal images. Other concepts like configuring seccomp, selinux, and linux capabilities can go a long way in decreasing security vulnerabilities. Many users aren't aware how easy it is to configure a more secure containerized environment. In this presentation, we will give an explanation of what containers are and the sets of actions working together in containerized workloads. We will explain the benefits in separating each set of actions into distinct tools, rather than using a monolithic container tool. Afterall, at the core of Unix philosophy is this: Write programs to do one thing and do it well. Write programs that work well together. In this spirit, we will introduce four container projects, Buildah, Podman, Skopeo, and CRI-O that exist to work together from creating containerized images through testing theses images locally and finally running those images in a production cluster. For each project, we will talk about some of the security features they have to offer and will have live demos going on at the same time. The demos will help the audience gain a better understanding of the features we are talking about and will give them a practical example that they can then play around with later.