CCSK

Course
New
Time
9 hours 29 minutes
Difficulty
Intermediate
CEU/CPE
10

Video Transcription

00:03
we previously talked about. Containers is a mechanism for compute in this section. We're going to review some of those points and introduced some new elements. We'll talk about the various components of a grander container system. This includes the container engine image repository and the platform that orchestrates and schedules activities across a cluster of container instances.
00:23
Once we've established that will walk through basic security controls for a container system,
00:29
the container itself contains everything needed for an application to execute.
00:34
The code runs inside a restricted environment with access on Lee to the processes and capabilities defined in the container configuration. While a VM is a full abstraction of an operating system, Ah, container is a constrained place to run segregated processes that themselves utilize the colonel and other capabilities of the host operating system.
00:53
You've seen this diagram before, and the darker blue layer this is Dr Damon
00:57
is the container engine. As you can see, the container engine sits between the executing containers and the underlying host operating system,
01:04
just like you have a binary excusable. For any software, there is a binary version of a container. This is referred to as the container image and these images are stored in an image repository sometimes referred to as a container registry. The image repository acts like a library of different container images. This diagram shows the relationship between the container instance,
01:23
which in this case is running on a desktop machine.
01:26
The static image associated with the container and the registry were many different. Static images are stored. The CCS K exam will refer to the container registry as an image repository. If you get deep in the container management, you'll find there is a slight difference between the registry and the repo.
01:42
But you don't need to know that for the CCS K and can consider an image repository. The same thing is the container registry.
01:48
It's very common for multiple containers to run on a single VM, even though it containers lighter than a VM. There can become a point where you have too many containers to run on a single VM. Or maybe you want to have the same container run across multiple VM, just in case one of the host of the EMS fails.
02:02
Eventually, you start to have more and more virtual machines hosting more and more different kinds of containers. This is when orchestration and scheduling technologies will become key to managing the life cycle.
02:13
Kubernetes is a very popular technology for this. It manages deploying the container images across virtual machines, monitoring health of containers, scaling out to create mawr instances of a container, deploying new revisions of a container image and much more.
02:27
This diagram provides a nice, simplified overview of kubernetes. As you can see, each of the nose at the bottom is a server.
02:34
Typically, this will be a virtual machine. The master Server acts is the controller to manage the workload of containers across those different notes.
02:42
Cluster management, whether kubernetes doctors, warm Amazon elastic container services or the many other technologies out there has lots of complexities. But for purposes of the sea CSK exam, all you need to understand is the role of the orchestration service.
02:57
Now that we've covered the major parts of a container based ecosystem, let's talk about some of the security basics. Security always begins in the underlying infrastructure and in a cloud environment. This is the provider's responsibility
03:08
in the virtual machine world, the providers responsible for securing the physical infrastructure and hyper visors. If the provider is giving you a platform as a service for managing containers, the providers also responsible for securing the physical infrastructure and the platform hosting those containers.
03:24
While you may assume the same security controls that a provider uses to secure virtual machines are also used. And when a provider gives you the container based platform service, it's worth verifying that fact before you jump both feet into using a container based platform service, take a look at container tasks and configurations as well,
03:45
since containers host software code
03:46
and a week application will be week. Whether it's running a container or on a VM, you want to make sure that that actual task itself is secure. But any container world weak security isn't just limited to the code in the container. You also want to be sure the limit ports. The container exposes data volume mount points
04:04
and how the container manages secret credentials.
04:09
For example, if you have an application running in a container and it means a user name and password to connect to a database, those air secrets and you want to make sure those configurations aren't inadvertently exposed to a bad actor,
04:19
the image repository for containers can be considered in the same way as image repository for virtual machines. Images need to be stored in a secure location, and appropriate access control should be configured to ensure that only approved access is granted to modify images or their configuration files. Don't forget
04:35
you want to make sure that container you pull from the repository is the same as the container you deploy.
04:41
You don't want the container image to be manipulated in transit.
04:46
Finally, containers provide great task segregation, but not the same isolation as VMS or physical servers. It's a good design practice to deploy containers of similar security context to the same set of VMS or physical servers. An orchestration or scheduling service can provide you. The resource is to manage this effectively. But keep in mind
05:04
his orchestration service has its own management plane.
05:08
If you're using a past container service like E. C s or a ks that will be embedded within the clouds management plane.
05:15
However, if you deploy your own solution like your own kubernetes cluster, that will be a separate management plane in mid 2018 Test list kubernetes control plane was compromised. Fortunately, attacker did not have malicious intent to take over the auto drive capabilities vehicles, But they did deploy a large number of containers that did crypto mining.
05:33
In other words, they had test will pay for the compute power required to do the crypto mining. But the credits for those activities were funneled to the hacker.
05:42
There's a lot more about container security, and specifics will vary based on the technology use. If you get into this space, take time to understand how to implement controls for all of these points and the many others that come with the territory.
05:55
Let's see what you retained about containers.
05:58
What things is a container image repository responsible for
06:01
multiple answers are correct.
06:03
It holds static images of different containers. It monitors health of container instances running in a cluster.
06:10
Manages multiple versions of the same container. Image ensures containers are deployed to V EMS, or is it responsible for assessing security of the container configuration?
06:19
Hopefully, you didn't confuse the container repository for a container cluster management and orchestration tool, so a. It holds static images of different containers, but it does not monitor the health containers. That would be something like kubernetes.
06:32
It also manages multiple versions of the same container.
06:36
It does not ensure that containers are deployed to V EMS, and it does not help in assessing the security of a container configuration.
06:45
In this video, we went over the various components of a container ecosystem, the container instance, container engine image repository in orchestration and scheduling technologies,
06:55
and we finished off covering basics of container security.

Up Next

CCSK

This course prepares you to take the CCSK exam certification by covering material included in the exam. It explains how the exam can be taken and how the certification process works.

Instructed By

Instructor Profile Image
James Leone
Cloud, IoT & DevSecOps at Abbott
Instructor