The recording of my talk Security Considerations for Container Runtimes - Dan Walsh, Red Hat (@rhatdan)

Explain/demonstrates using Kubernetes with different security features for your container environment

General Concept

  • Run containers without root, period
  • Take advantage of all security features the host provides

Configuring CRI-O:

  • Run containers with read-only images
  • Limit the Linux capabilities running within your container
  • Set up container storage to modify the storage options in a more secure manner
  • Configure alternative OCI Runtimes: Kata, Gvisord and Nabla to run locked down containers

Building images with security in mind.

  • Limit packages/attack surface of container images
  • Build container images within a locked down kubernetes container

Advances in User Namespaces

  • Demonstrate running each container with a different User Namespace
  • Configure system to take advantage of user namespace container separation, without taking a drastic speed hit

And many more...

You might find Scott McCarty's article A Practical Introduction to Container Terminology helpful for a comparison of container runtimes.

See also Containers without daemons: Podman and Buildah available in Red Hat Enterprise Linux 7.6 and Red Hat Enterprise Linux 8 Beta.


Last updated: February 11, 2024