https://www.youtube.com/watch?v=HIM0HwWLJ7g
The recording of my talk Security Considerations for Container Runtimes - Dan Walsh, Red Hat (@rhatdan)
Explain/demonstrates using Kubernetes with different security features for your container environment
General Concept
- Run containers without root, period
- Take advantage of all security features the host provides
Configuring CRI-O:
- Run containers with read-only images
- Limit the Linux capabilities running within your container
- Set up container storage to modify the storage options in a more secure manner
- Configure alternative OCI Runtimes: Kata, Gvisord and Nabla to run locked down containers
Building images with security in mind.
- Limit packages/attack surface of container images
- Build container images within a locked down kubernetes container
Advances in User Namespaces
- Demonstrate running each container with a different User Namespace
- Configure system to take advantage of user namespace container separation, without taking a drastic speed hit
And many more...
You might find Scott McCarty's article A Practical Introduction to Container Terminology helpful for a comparison of container runtimes.
Last updated: February 11, 2024
