The wide adoption of containers and the ability to retrieve images from different sources impose strict security constraints. Containers leverage Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control. This page gathers resources about container access control - deciding and enforcing who gets access to which container resources.
Table of Contents:
Below we have compiled publicly available sources from around the world that present views on Container Access Control.
Kubernetes Security Operating Kubernetes Clusters and Applications Safely
Container technology has made phenomenal progress and is getting ready to take over application infrastructures in public and in private clouds. Storage access is an important part of the container technology stack and most container orchestration systems are able to routinely provision access to storage systems as part of their orchestration process.
Container Security Best Practices — When containerization is implemented with good security practices, containers can offer better application security rather than a VM only solution. This page gathers resources about basic tips and best practices as to how to secure containers.
Containers for DevSecOps — DevSecOps is an extension of the DevOps concept that emphasizes the integration of security teams into continuous delivery workflows. This page gathers resources about how DevSecOps makes for a more efficient and secure containers.
Container Vulnerabilities and Threats — While containers are driving evolution in the management of network applications, which, although self-contained, are still vulnerable. This page gathers resources about container vulnerabilities like 'Dirty Cow' and 'Escape Vulnerability' including tips on how to secure containers from cyber threats.
Container Vulnerability Scanning — A big part of any organization’s risk assessment process is to be aware of and gain visibility into vulnerabilities in the software being used. This page gathers resources about the the importance of container vulnerability scanning including Docker vulnerability scanning and information on various vulnerability scanners.
Container Secrets Management — In computing as in real life, a secret is information you want kept private, outside of the people and systems you want or need to share it with. In the application security realm, common examples of secrets are passwords, tokens, and private keys. This page gathers resources about managing secrets in containers including Docker containers, Amazon Elastic Container Service, Kubernetes and more.
Container Access Control — The wide adoption of containers and the ability to retrieve images from different sources impose strict security constraints. Containers leverage Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control. This page gathers resources about container access control - deciding and enforcing who gets access to which container resources.
Container Audits and Compliance — Security and compliance are top of mind for IT organizations. In a technology-first era rife with cyber threats, it is important for enterprises to have the ability to deploy applications on a platform that adheres to stringent security baselines. This page gathers resources about audits and compliance of containers and their relationship to security.
The Shift Left Principle and DevOps — The move to Agile and DevSecOps development processes has fostered a lot of attention on the need to shift security testing left in the development cycle. Moving security testing into the realm of the developer makes security testing faster, easier, more effective and less expensive. The page gathers resources about how shifting left improves DevOps and security.
Application Whitelisting — Whitelisting is the practice of specifying an index of approved applications that are permitted to be present and active. There are several characteristics of containers that lend themselves to intent-based security, which, in effect, is whitelisting. This page gathers resources about whitelisting in Kubertenes and other platforms.
Zero Trust Networks — Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters and instead must verify anything and everything trying to connect to its systems before granting access. This page gathers resources about the basic concepts of zero trust security, including a list of leading solutions.
Network Segmentation for Containers — Network segmentation is the practice of dividing a larger computer network into several small subnetworks that are each isolated from one another. This page gathers resources about the security benefits of network segmentation, the rise of micro-segmentation and the nano-segmantation approach.
Container Isolation — Container isolation aim to protect the underlying host OS that runs containers and functions against malicious escape and breakout attempts into other targets on the same host or on the shared infrastructure. They attempt to provide VM-level isolation while maintaining the expected speed and efficiency. This page gathers resources about isolation technologie such as Kata Containers, Amazon Firecracker, gVisor and Nabla Containers.
Devsecops Tools — Adopting a DevSecOps approach requires a change of attitude across the organization, and it applies to processes, people, and the tools that they use. This page gathers resources about DevSecOps tools, both open source and commercial.
Open Source Security Tools for Containers — As containers becomimng more popular, the instances of malware are increasing. Securing containers is a top priority for DevOps engineers. This page gathers resources about open source security tools for containers such as: kube-bench, kube-hunter, Clair and more.
Containers and GitOps — GitOps is a name for a set of Ops practices using Git and a way to do Continuous Delivery. It works by using Git as a source of truth for declarative infrastructure and applications. This page gathers resources about the GitOps basics, tutorials and tools.