The recording of my talk Security Considerations for Container Runtimes - Dan Walsh, Red Hat (@rhatdan)
Explain/demonstrates using Kubernetes with different security features for your container environment
- Run containers without root, period
- Take advantage of all security features the host provides
- Run containers with read-only images
- Limit the Linux capabilities running within your container
- Set up container storage to modify the storage options in a more secure manner
- Configure alternative OCI Runtimes: Kata, Gvisord and Nabla to run locked down containers
Building images with security in mind.
- Limit packages/attack surface of container images
- Build container images within a locked down kubernetes container
Advances in User Namespaces
- Demonstrate running each container with a different User Namespace
- Configure system to take advantage of user namespace container separation, without taking a drastic speed hit
And many more...
You might find Scott McCarty's article A Practical Introduction to Container Terminology helpful for a comparison of container runtimes.
See also Containers without daemons: Podman and Buildah available in Red Hat Enterprise Linux 7.6 and Red Hat Enterprise Linux 8 Beta.
Last updated: March 24, 2023