Least privilege model

• What can I do if I compromise a worker node?
• Guidelines for workload isolation
• Learning more about container security

• All the important data is stored in the "Raft log"

• Managers nodes have read/write access to this data

• Workers nodes have no access to this data

• Workers only receive the minimum amount of data that they need:

  • which services to run
  • network configuration information for these services
  • credentials for these services

• Compromising a worker node does not give access to the full cluster

What can I do if I compromise a worker node?

• I can enter the containers running on that node

• I can access the configuration and credentials used by these containers

• I can inspect the network traffic of these containers

• I cannot inspect or disrupt the network traffic of other containers

  (network information is provided by manager nodes; ARP spoofing is not possible)

• I cannot infer the topology of the cluster and its number of nodes

• I can only learn the IP addresses of the manager nodes

Guidelines for workload isolation

• Define security levels

• Define security zones

• Put managers in the highest security zone

• Enforce workloads of a given security level to run in a given zone

• Enforcement can be done with Authorization Plugins

Learning more about container security

.blackbelt[DC17US: Securing Containers, One Patch At A Time (video)]

.blackbelt[DC17EU: Container-relevant Upstream Kernel Developments (video)]

.blackbelt[DC17EU: What Have Syscalls Done for you Lately? (video)]