See the table of contents for my other blog posts from the conference
@kai5263499
Containers
- Represent complexity
- lots of components
- notes help manage complexity – write down what doing
- were not designed to be secure. Were designed for developers to have a feel of a greenfield system
- just a set of processses
- developers and ops have different goals. Need different images for debugging vs prod
Tips
- Log and audit what is in the images. Logging smokes out bad practices. Can’t prevent password, but can catch it at build time
- Prod image should come from CI/CD pipeline
- Add forensics info to labels. Ex: git hash. Pretend the cloud is down. Can you explain what is in your image
- Scan image regularly. The base image will become vunlerable over time. Scan hashes and layers of image
- Build own scratch image or ami so know what is in it. This is hard, but then you know what is in it
- Monitor what running to ensure what you intend
- Config as code
- Use read only mode in container where possible. Hard to break the container
- Can tag so only data from specific pods can send certain data. Emerging tech. No standard yet
- Can taint workers and only certain pods can run
Antipatterns
- Allowing a broad set of system calls. Makes hard to find atypical patterns. Also broadens attack surface
- Hypervisor shims – limit what can do
- Chaos engineering – keeps you honest. A pod running for months and behaves differently on next start is hard to track down.
Cloud maturity
- Access contol which can push
- execution logs
- images from a build system
- version controk docker configs
- tagged packets from pods and continuous image scanning
Links: https://www.selikoff.net/2019/03/07/devnexus-2019-containing-the-cloud-wes-widner/
My take
Lots of information. I learned a lot. I also realize how much I’ve forgotten about Kubernettes since i last poked it.