Defending Containers Like a Ninja: A Walk through the Advanced Security Features of Docker & Kubernetes

Today, with a few commands anyone can have containers running on their machine; at this point, they seem to be neither complex nor complicated to secure. However, the story dramatically changes when the ecosystem grows exponentially and now we have thousands of nodes that fulfill different roles, with different resources, running different applications, in different virtual environments, remotely accessed by different users who must have different types of permissions and so on. Complexity is the worst enemy of security, what can we do to protect these huge containerized environments? There are many features of Docker and Kubernetes that allow to secure quite well these environments. However, the eternal official documentation makes, perhaps, these functionalities go unnoticed. Throughout this talk it will be explained how to implement the advanced security features to secure the Docker daemon and its core components, the containers execution, Swarm and Kubernetes orchestrated environments. We will go from the depths, limiting the kernel's capabilities at container runtime and remapping it to the user-namespace, until successfully apply the RBAC at the orchestrator in Swarm or Kubernetes. In addition, the talk reveals various attacks that could be carried out if these advanced security measures are not applied.