Preview Mode Links will not work in preview mode

Apr 29, 2018



Container security


Jay Beale  @inguardians , @jaybeale



  • What the heck is a container?
    • Linux distribution with a kernel
      • Containers run on top of that, sharing the kernel, but not the filesystem
    • Namespaces
      • Mount
      • Network
      • Hostname
      • PID
      • IPC
      • Users
  • Somebody said we’ve had containers since before Docker
    • Containers started in 2005, with OpenVZ
    • Docker was 2013, Kubernetes 2014
  • Image Security
    • CoreOS Clair for vuln scanning images
    • Public repos vs private
    • Don’t keep the image running for so long?
    • Don’t run as root
  • More Containment stuff
    • Non-privileged containers
    • Remap the users, so root in container isn’t root outside
    • Drop root capabilities
    • Seccomp for kernel syscalls
    • AppArmor or SELinux
  • All of above is about Docker, what about Kubernetes
    • Get onto most recent version of K8S - 1.7 and 1.8 brought big security improvements
    • Network policy (egress firewalls)
    • RBAC (define what users and service accounts can do what)
    • Use namespaces per tenant and think hard about multi-tenancy
    • Use the CIS guides for lockdown of K8S and the host
    • Kube-bench

Difference between containers and sandboxing


Roll your own -


        Using public registries - leave you vulnerable

        Use your own private repos for deploying containers


Reduce attack surface

Reduce user access


Automation will allow more security to get baked in.

S3 buckets / Azure Blobs


Join our #Slack Channel! Email us at

or DM us on Twitter @brakesec



#Youtube Channel:

#iTunes Store Link:

#Google Play Store:

Our main site:

#iHeartRadio App:


Comments, Questions, Feedback:

Support Brakeing Down Security Podcast by using our #Paypal OR our #Patreon

#Twitter@brakesec @boettcherpwned @bryanbrake @infosystir

#Player.FM :

#Stitcher Network:

#TuneIn Radio App: