mirror of
https://github.com/jpetazzo/container.training.git
synced 2026-05-14 12:56:37 +00:00
58 lines
1.7 KiB
Markdown
58 lines
1.7 KiB
Markdown
# Least privilege model
|
|
|
|
- All the important data is stored in the "Raft log"
|
|
|
|
- Managers nodes have read/write access to this data
|
|
|
|
- Workers nodes have no access to this data
|
|
|
|
- Workers only receive the minimum amount of data that they need:
|
|
|
|
- which services to run
|
|
- network configuration information for these services
|
|
- credentials for these services
|
|
|
|
- Compromising a worker node does not give access to the full cluster
|
|
|
|
---
|
|
|
|
## What can I do if I compromise a worker node?
|
|
|
|
- I can enter the containers running on that node
|
|
|
|
- I can access the configuration and credentials used by these containers
|
|
|
|
- I can inspect the network traffic of these containers
|
|
|
|
- I cannot inspect or disrupt the network traffic of other containers
|
|
|
|
(network information is provided by manager nodes; ARP spoofing is not possible)
|
|
|
|
- I cannot infer the topology of the cluster and its number of nodes
|
|
|
|
- I can only learn the IP addresses of the manager nodes
|
|
|
|
---
|
|
|
|
## Guidelines for workload isolation leveraging least privilege model
|
|
|
|
- Define security levels
|
|
|
|
- Define security zones
|
|
|
|
- Put managers in the highest security zone
|
|
|
|
- Enforce workloads of a given security level to run in a given zone
|
|
|
|
- Enforcement can be done with [Authorization Plugins](https://docs.docker.com/engine/extend/plugins_authorization/)
|
|
|
|
---
|
|
|
|
## Learning more about container security
|
|
|
|
.blackbelt[[Securing Containers, One Patch At A Time](https://www.youtube.com/watch?v=jZSs1RHwcqo&list=PLkA60AVN3hh-biQ6SCtBJ-WVTyBmmYho8&index=4) by Michael Crosby (DC17US)]
|
|
|
|
.blackbelt[Container-relevant Upstream Kernel Developments by Tycho Andersen (Tuesday 14:55)]
|
|
|
|
.blackbelt[What Have Syscalls Done for you Lately? by Liz Rice (Tuesday 11:45)]
|