Containers

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
9 hours 59 minutes
Difficulty
Intermediate
CEU/CPE
10
Video Transcription
00:02
>> We previously talked about
00:02
containers as a mechanism for compute.
00:02
In this section, we're going to review some of
00:02
those points and introduce some new elements.
00:02
We'll talk about the various components of
00:02
a grander container system.
00:02
This includes the container engine, image repository,
00:02
and the platform that orchestrates and schedules
00:02
activities across a cluster of container instances.
00:02
Once we've established that,
00:02
we'll walk through basic security controls
00:02
for a container system.
00:02
The container itself contains
00:02
everything needed for an application to execute.
00:02
The code runs inside
00:02
a restricted environment with access only to
00:02
the processes and capabilities
00:02
defined in the container configuration.
00:02
While a VM is a full abstraction of an operating system,
00:02
a container is a constrained place to
00:02
run segregated processes that
00:02
themselves utilize the kernel and
00:02
other capabilities of the host operating system.
00:02
You've seen this diagram before,
00:02
and the darker blue layer,
00:02
this is docker daemon is the container engine.
00:02
As you can see, the container engine sits between
00:02
the executing containers and
00:02
the underlying host operating system.
00:02
Just like you have a binary executable for any software.
00:02
There is a binary version of a container.
00:02
This is referred to as the container image
00:02
and these images are stored in an image repository,
00:02
sometimes referred to as a container registry.
00:02
The image repository acts like
00:02
a library of different container images.
00:02
This diagram shows the relationship
00:02
between the container instance,
00:02
which in this case is running on a desktop machine,
00:02
the static image associated with the container,
00:02
and the registry where many
00:02
different static images are stored.
00:02
The CCSK exam will refer to
00:02
the container registry as an image repository.
00:02
If you get deep into container management,
00:02
you'll find there is a slight difference
00:02
between the registry in the repo,
00:02
but you don't need to know that for
00:02
the CCSK and can consider
00:02
an image repository the same thing
00:02
as the container registry.
00:02
It's very common for
00:02
multiple containers to run on a single VM.
00:02
Even though a container is lighter than a VM,
00:02
there can become a point where you have
00:02
too many containers to run on a single VM.
00:02
Or maybe you want to have the same container run across
00:02
multiple VMs just in case one of the host VMs fails.
00:02
Eventually, you start to have
00:02
more and more virtual machines
00:02
hosting more and more different containers.
00:02
This is when orchestration and scheduling
00:02
technologies will become key to managing the lifecycle.
00:02
Kubernetes is a very popular technology for this.
00:02
It manages deploying
00:02
the container images across virtual machines,
00:02
monitoring health of containers,
00:02
scaling out to create more instances of a container,
00:02
deploying new revisions of
00:02
a container image, and much more.
00:02
This diagram provides
00:02
a nice simplified overview of Kubernetes.
00:02
As you can see, each of
00:02
the nodes at the bottom is a server.
00:02
Typically this will be a virtual machine.
00:02
The master server acts as the controller to manage
00:02
the workload of containers across those different nodes.
00:02
Cluster management with a Kubernetes, Docker Swarm,
00:02
Amazon Elastic Container Services,
00:02
or the many other technologies out there,
00:02
has lots of complexities.
00:02
But for purposes of the CCSK exam,
00:02
all you need to understand is
00:02
the role of the Orchestration Service.
00:02
Now that we've covered the major parts
00:02
of a container-based ecosystem,
00:02
let's talk about some of the security basics.
00:02
Security always begins in
00:02
the underlying infrastructure and in a Cloud environment,
00:02
this is the provider's responsibility
00:02
and the virtual machine world,
00:02
the provider is responsible for securing
00:02
the physical infrastructure and hypervisors.
00:02
If the provider is giving you
00:02
a platform as a service for managing containers,
00:02
the provider is also responsible for securing
00:02
the physical infrastructure and
00:02
the platform hosting those containers.
00:02
While you may assume the same security
00:02
controls that a provider uses to secure
00:02
virtual machines are also used in when
00:02
a provider gives you
00:02
the container-based platform service,
00:02
it's worth verifying that fact before you jump both feet
00:02
into using a container-based platform service.
00:02
Take a look at container tasks
00:02
and configurations as well.
00:02
Since containers host software code and
00:02
a weak application will be weak
00:02
whether it's running in a container or on a VM,
00:02
you want to make sure that that actual task
00:02
itself is secure.
00:02
But in a container world,
00:02
weak security isn't just limited
00:02
to the code in the container.
00:02
You also want to be sure to limit
00:02
ports the container exposes,
00:02
data volume, mount points,
00:02
and how the container manages secret credentials.
00:02
For example, if you have
00:02
an application running in a container
00:02
and it needs a username and
00:02
password to connect to a database,
00:02
those are secrets and you want to make sure
00:02
those configurations aren't inadvertently
00:02
exposed to a bad actor.
00:02
The image repository for containers can be considered in
00:02
the same way as image repository for virtual machines.
00:02
Images need to be stored in
00:02
a secure location and
00:02
appropriate access control should be configured to
00:02
ensure that only approved access is granted to
00:02
modify images or their configuration files.
00:02
Don't forget, you want to make
00:02
sure the container you pull from
00:02
the repository is the same as the container you deploy.
00:02
You don't want the container image to
00:02
be manipulated in transit.
00:02
Finally, containers provide great task segregation,
00:02
but not the same isolation as VMs or physical servers.
00:02
It's a good design practice to deploy containers of
00:02
similar security contexts to
00:02
the same set of VMs or physical servers.
00:02
Orchestration or scheduling service can
00:02
provide you the resources to manage this effectively.
00:02
But keep in mind this orchestration service
00:02
has its own management plane.
00:02
If you are using a past Container Service
00:02
like ECS or AKS,
00:02
that will be embedded within
00:02
the Cloud's management plane.
00:02
However, if you deploy
00:02
your own solution like your own Kubernetes cluster,
00:02
that will be a separate management plane.
00:02
In mid 2018 Tesla's
00:02
Kubernetes control plane was compromised.
00:02
Fortunately, attacker did not have malicious intent to
00:02
take over the auto-drive capabilities vehicles,
00:02
but they did deploy a large number
00:02
of containers that did crypto mining.
00:02
In other words, they had Tesla pay for
00:02
the compute power required to do the crypto mining,
00:02
but the credits for those activities
00:02
were funneled to the hacker.
00:02
There's a lot more about container security and
00:02
specifics will vary based on the technology you use.
00:02
If you get into this space,
00:02
take time to understand how to
00:02
implement controls for all of
00:02
these points and the many others
00:02
that come with the territory.
00:02
Let's see what you retained about containers.
00:02
What things is a container
00:02
image repository responsible for?
00:02
Multiple answers are correct.
00:02
It hold static images at different containers,
00:02
it monitors health of container instances
00:02
running in a cluster,
00:02
manages multiple versions of the same container image,
00:02
ensures containers are deployed to VMs or is it
00:02
responsible for assessing security
00:02
of the container configuration?
00:02
Hopefully, you didn't confuse
00:02
the container repository for
00:02
a container cluster management and orchestration tool.
00:02
A, it holds static images of different containers,
00:02
but it does not monitor the health of containers.
00:02
That would be something like Kubernetes.
00:02
It also manages multiple versions of the same container.
00:02
It does not ensure the containers are
00:02
deployed to VMs and it
00:02
does not help in assessing
00:02
the security of a container configuration.
00:02
In this video, we went over
00:02
the various components of a container ecosystem.
00:02
The container instance, the container engine,
00:02
image repository, and
00:02
orchestration and scheduling technologies.
00:02
We finished off covering basics of container security.
Up Next