Security Considerations for Container Runtimes

Security Considerations for Container Runtimes

The recording of my talk Security Considerations for Container RuntimesDan Walsh, Red Hat (@rhatdan)

Explain/demonstrates using Kubernetes with different security features for your container environment

Everything you need to grow your career.

With your free Red Hat Developer program membership, unlock our library of cheat sheets and ebooks on next-generation application development.

SIGN UP

General Concept

  • Run containers without root, period
  • Take advantage of all security features the host provides

Configuring CRI-O:

  • Run containers with read-only images
  • Limit the Linux capabilities running within your container
  • Set up container storage to modify the storage options in a more secure manner
  • Configure alternative OCI Runtimes: Kata, Gvisord and Nabla to run locked down containers

Building images with security in mind.

  • Limit packages/attack surface of container images
  • Build container images within a locked down kubernetes container

Advances in User Namespaces

  • Demonstrate running each container with a different User Namespace
  • Configure system to take advantage of user namespace container separation, without taking a drastic speed hit

And many more…

You might find Scott McCarty’s article A Practical Introduction to Container Terminology helpful for a comparison of container runtimes.

See also Containers without daemons: Podman and Buildah available in Red Hat Enterprise Linux 7.6 and Red Hat Enterprise Linux 8 Beta.

 

To learn more, visit our Linux containers or microservices Topic pages.

To learn more, visit our Join the Red Hat Developer Program (it’s free) and get access to related cheat sheets (e.g. containers), books (e.g. microservices), and product downloads that can help you with your microservices and/or container application development.

 

Join Red Hat Developer (it’s free) and get access to software, cheat sheets, books, and more.

Share