Least privilege model
- What can I do if I compromise a worker node?
- Guidelines for workload isolation
- Learning more about container security
All the important data is stored in the "Raft log"
Managers nodes have read/write access to this data
Workers nodes have no access to this data
Workers only receive the minimum amount of data that they need:
- which services to run
- network configuration information for these services
- credentials for these services
Compromising a worker node does not give access to the full cluster
What can I do if I compromise a worker node?
I can enter the containers running on that node
I can access the configuration and credentials used by these containers
I can inspect the network traffic of these containers
I cannot inspect or disrupt the network traffic of other containers
(network information is provided by manager nodes; ARP spoofing is not possible)
I cannot infer the topology of the cluster and its number of nodes
I can only learn the IP addresses of the manager nodes
Guidelines for workload isolation
Define security levels
Define security zones
Put managers in the highest security zone
Enforce workloads of a given security level to run in a given zone
Enforcement can be done with Authorization Plugins
Learning more about container security
.blackbelt[DC17US: Securing Containers, One Patch At A Time (video)]
.blackbelt[DC17EU: Container-relevant Upstream Kernel Developments (video)]
.blackbelt[DC17EU: What Have Syscalls Done for you Lately? (video)]