Liz Rice - Container Security: Fundamental Technology Concepts that Protect Containerized Applications

by Liz Rice

Copyright 2020 Vertical Shift Ltd. All rights reserved.

Printed in the United States of America.

Published by OReilly Media, Inc. , 1005 Gravenstein Highway North, Sebastopol, CA 95472.

OReilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com .

• Acquisitions Editor: John Devins
• Developmental Editor: Virginia Wilson
• Production Editor: Nan Barber
• Copyeditor: Arthur Johnson
• Proofreader: Kim Wimpsett
• Indexer: Devon Thomas
• Interior Designer: David Futato
• Cover Designer: Karen Montgomery
• Illustrator: Rebecca Demarest

• April 2020: First Edition

See http://oreilly.com/catalog/errata.csp?isbn=9781492056706 for release details.

The OReilly logo is a registered trademark of OReilly Media, Inc. Container Security, the cover image, and related trade dress are trademarks of OReilly Media, Inc.

The views expressed in this work are those of the authors and do not represent the publishers views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

This work is part of a collaboration between OReilly and Aqua Security. See our statement of editorial independence.

978-1-492-05670-6

[LSI]

Many organizations are running applications in cloud native environments, using containers and orchestration to facilitate scalability and resilience. If youre a member of the Operations, the DevOps, or even the DevSecOps team setting up these environments for your company, how do you know whether your deployments are secure? If youre a security professional with experience in traditional server-based or virtual machinebased systems, how can you adapt your existing knowledge for container-based deployments? And as a developer in the cloud native world, what do you need to think about to improve the security of your containerized applications? This book delves into some of the key underlying technologies that containers and cloud native rely on, to leave you better equipped to assess the security risks and potential solutions applicable to your environment and to help you avoid falling into bad practices that will leave your technology deployments exposed.

In this book you will learn about many of the building block technologies and mechanisms that are commonly used in container-based systems, and how they are constructed in the Linux operating system. Together we will dive deep into the underpinnings of how containers work and how they communicate so that you are well versed not just in the what of container security but also, and more importantly, in the why. My goal in writing this book is to help you better understand whats happening when you deploy containers. I want to encourage you to build mental models that allow you to make your own assessment of potential security risks that could affect your deployments.

This book primarily considers the kind of application containers that many businesses are using these days to run their business applications in systems such as Kubernetes and Docker. This is in contrast to system containers such as LXC and LXD from the Linux Containers Project. In an application container, you are encouraged to run immutable containers with as little code as is necessary to run the application, whereas in a system container environment the idea is to run an entire Linux distribution and treat it more like a virtual machine. Its considered perfectly normal to SSH into a system container, but application container security experts will look at you askance if you want to SSH into an application container (for reasons covered later in this book). However, the basic mechanisms used to create application and system containers alike are control groups, namespaces, and changing the root directory, so this book will give you a solid foundation from which you may wish to explore the differences in approach taken by the different container projects.