ContainerCon 2022

Containers deployments contains many security-sensitive attributes (e.g. privileges, OS capabilities, filesystem access rights etc.). The default settings are quite flexible which is great for smooth deployments experience but quite challenging on the security perspective, since they provide high privileges and wide access to the OS (which enlarger the threat landscape in case of a security event). There're few mechanism, popular in Kubernetes environments to control and manage these settings. Pod Security Policies were the first mechanism that was used for this purpose and it recently was replaced by a new mechanism called Pod Security Standards that changed completely the usage model. The introduction of a new method for containers' security context is also an opportunity to rethink the overall model and suggest additional enhancements options. In this talk, I'll address few topics that should be considered with the new security model, like the usage of validating admission webhook and mutating admission webhook (the benefits and drawbacks of each option), the usage of policy-as-code options comparing OPA/Gatekeeper vs. Kyverno policy engines or just a Terraform based policies( I'll also review the available rules libraries in open source) and a GitOps deployment model

Dates

Author

Conferences

Tags

Secure Containers Deployments: Time for Refresh

tldr - powered by Generative AI