Hey, what’s up! I’m Keita. I work as a beginner C# programmer.
Recently, I read a book about the security of container technology. Although I don’t use it in my work, I often use it in my private life.
This time, I would like to share what I have learned. The book I read is below…
Docker
Docker is a platform for running applications in lightweight virtual environments called containers. Containers combine applications and their dependencies into a single unit that runs consistently everywhere. This reduces problems caused by differences between development and production environments.
Key Features
Lightweight:Consumes fewer resources than virtual machines.
Portability: Once created, containers work the same in any environment.
Speed: Containers start up very quickly.
Kubernetes
Kubernetes is an open source platform for automating the deployment, scaling, and management of containerized applications, developed by Google and currently managed by the Cloud Native Computing Foundation ( CNCF), and is managed by the Cloud Native Computing Foundation (CNCF).
Key Features
Automation: Automates application deployment and scaling.
Self-healing: Automatically restarts containers if they fail.
Scalability: Increase or decrease the number of containers as needed.
TLS
TLS (Transport Layer Security) is a protocol for securely sending and receiving data over the Internet; TLS uses encryption to prevent data eavesdropping and tampering. Formery called SSL (Secure Sockets Layer), TLS is now the predominant protocol.
Main Functions
Encryption: Transmits data in encrypted form, making the contents unreadable to third parties.
Authentication: Verifies that the party with whom you are communicating is a legitimate party.
Data integrity: Ensures that data has not been tampered with in transit.
PKI
PKI (Public Key Infrastructure) is a mechanism for secure communication using public key cryptography; PKI uses a pair of public and private keys to encrypt and digitally sign data.
Main Elements
Public key: A key that can be accessed by anyone and is used to encrypt data and verify digital signatures.
Private key: A key that only the owner has, used to decrypt data and create digital signatures.
Certificate: A digital document linking the public key to the owner's information, issued by a trusted third party (certification authority).
Certificate
A certificate is a digital document that links a public key to information about its owner. Certificates are issued by Certificate Authorities (CAs) to guarantee their trustworthiness.
The role of a certificate
Authentication: Verifies that the party with whom you are communicating is legitimate.
Encryption: encrypts data using a public key and decrypts it with a private key.
Digital Signature: Proves that the sender of the data is legitimate and prevents data tampering.
Relationship between TLS and PKI
TLS uses PKI to achieve secure communication. Specifically, certificates are used in the TLS handshake process to authenticate communication partners and securely exchange common keys.
TLS handshake flow
Client Hello: The client sends a connection request to the server.
Server Hello: The server responds and sends a certificate.
Certificate Validation: The client validates the server's certificate.
Key Exchange: The client and server generate a common key.
Start Encrypted Communication: The client and server initiate encrypted communication using the symmetric key.
Threats to Container Operations
Misconfiguration of API endpoints
Misconfiguration of API endpoints can allow unauthorized access from the outside. This can put the entire system at risk.
Runtime or kernel vulnerabilities
Exploitation of a vulnerability in the container runtime or host kernel can break isolation between containers and affect other containers or the host system.
Image Vulnerabilities
If the Docker image you use contains vulnerabilities, you are at risk of exploitation of those vulnerabilities. Particular care should be taken when using images that are not official or are overdue for updates.
Runtime Security
Runtime refers to the time a program is running and the environment in which it runs. For example, when you are playing a game on your phone, the runtime is while that game application is running. Runtime security is important to protect your system from threats that occur while the program is running.
1. API Endpoint Protection
API endpoints are the key to security because they are accessed from the outside. Prevent unauthorized access by setting up proper authentication and authorization and disabling unnecessary endpoints. It is also important to use an API gateway to monitor traffic and detect unusual access patterns. 2.
2. executing users
It is recommended that processes executed in containers be executed by users with minimal privileges; avoid executing as the root user and set up unprivileged users to reduce security risks.
3. system call restrictions
Use tools such as Seccomp, AppArmor, or SELinux to restrict the system calls that containers can execute. This reduces the risk of attackers exploiting system calls to infiltrate the host system.
4. file access restrictions
Prevent the leakage of sensitive information by restricting the files and directories to which containers have access. It is effective to minimize the number of volumes to be mounted and to set them as read-only.
5. resource limitation
Limiting resources such as CPU and memory prevents containers from affecting other containers and the host system; Kubernetes allows resource quotas and limits to prevent overuse of resources.
6. use alternative runtimes
In addition to the standard Docker runtime, security can be improved by using security-enhanced runtimes such as gVisor or Kata Containers. These runtimes provide an additional layer of isolation and minimize the impact of attacks.
7. monitor containers
It is important to monitor running containers to detect any unusual behavior. Utilizing audit logs and setting up real-time alerts allows for a quick response; using tools such as Falco and Sysdig to monitor container activity is recommended.
Image security
Image security is an important component of container operations. Appropriate security measures can increase the overall safety of the system.
1. accessing private Git and S3 from Dockerfile
When using Dockerfile to access private repositories or S3 buckets, it is important to keep your credentials secure. Use environment variables and secret managers to avoid putting credentials directly in the Dockerfile.
2. build images securely in containers
When building images inside a container, it is recommended to isolate the build environment and restrict external access. This reduces the risk of exploitation of vulnerabilities during the build process.
3. inspect images for vulnerabilities
It is recommended that images be periodically scanned for vulnerabilities to ensure that they do not contain any known vulnerabilities, using tools such as Clair or Trivy.
4. prevent deployment of tampered images
To prevent image tampering, use image signing; use Docker Content Trust (DCT) or Notary to ensure image authenticity.
5. build a private registry (Harbor)
Using a private registry allows you to enhance image management and security; use tools such as Harbor to build a private registry and enforce access control and vulnerability scanning.
Kubernetes cluster security
You will notice a stronger infrastructure if you are well aware of specific methods and best practices to enhance the security of your Kubernetes cluster.
1. keep your cluster up-to-date
Keeping your Kubernetes cluster up-to-date is fundamental to security. Regular updates and patching are recommended.
2. API access control
API access control is essential to securing the cluster; use RBAC (Role-Based Access Control) to set appropriate permissions.
3. authentication modules
Authentication modules can be used to tightly control access to resources in the cluster.
4. service authentication and account management with Service Account
Ensure that each service operates with the appropriate privileges using Service Account, including service authentication and account management. 5.
5. authorization module
Authorization module allows fine control of access rights to resources. 6.
6. access control with the Admission Controller
Use the Admission Controller to validate resources deployed in a cluster and block those that violate security policies.
7. use of Webhooks
Use Webhook to add your own Admission Control for flexible access control.
8. protection of communication between system components
Encrypt and authenticate communications between system components to protect them.
9. scheduler assignment node control
Control the assignment of nodes by the scheduler for more efficient use of resources and improved security.
10. secret information management
Manage confidential information (secrets), securely store sensitive information, and restrict access.
11. secret management for GitOps
Manage secrets for GitOps, enabling you to both code and secure your infrastructure.
summary
The security of container technology was summarized above.
Frankly, it is all very difficult for me to understand now. But I want to be able to understand it by referring to it each time.