Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Container Workloads: Build, Sign, Scan...

Prisma Cloud
November 18, 2019

Securing Container Workloads: Build, Sign, Scan, Push, Deploy & VNets – Oh My

Any secure solution involves multiple lines of defense. Should you secure your images before you push, after you push, before you deploy, after you deploy? Should your registry be secured within a VNET and should your images be signed? The answer is yes.

In this deck, Steve Lasker will review multiple scanning options, the container quarantine pattern for creating secure by default registries, image signing and VNET & Firewall rules. We'll cover securing production nodes, and how to handle new vulnerabilities that may impact images already deployed.

Prisma Cloud

November 18, 2019
Tweet

More Decks by Prisma Cloud

Other Decks in Technology

Transcript

  1. Securing Container Workloads
 Build, Sign, Scan, Push, Deploy & VNets

    Oh My Steve Lasker Program Manager Azure Container Registries [email protected] @SteveLasker SteveLasker.blog https://github.com/stevelasker
  2. HOST-A web:1 digest: 91e important:1 digest: 2re web:1 digest: 91e

    quotes: 1 digest: u82 web:1 digest: 91e important:1 digest: 2re HOST-B quotes: 1 digest: u82 important:1 digest: 2re quotes: 1 digest: u82 important:1 digest: 2re HOST-C important:1 digest: 2re quotes: 1 digest: u82 important:1 digest: 2re quotes: 1 digest: u82 Image Cache Image Cache Image Cache Resource Pool docker build –t web:1 docker build –t quotes:1 docker build –t important: 1 docker push web:1 docker push quotes:1 docker push important:1 important:1 digest: 2re quotes:1 digest: u82 web:1 digest: 91e quotes:1 digest: u82 important:1 digest: 2re quotes:1 digest: u82 important:1 digest: 2re Deploy: web:1 x3 quotes:1 x3 important:1 x4 Foo: web:1 x3 quotes:1 x3 important:1 x4 important:1 digest: 2re quotes: 1 digest: u82 web:1 digest: 91e Image web:1 quotes:1 important:1 Container Registry Container Builder Release
 Management Orchestratio n Orchestration Provides Infrastructure Resiliency
  3. • Multiple lines of defense • Authentication & Authorization •

    Image Buffering • Image Patching • Image and Runtime Scanning • Container Workflows, w/Security • Network Security • Policy & Usability
  4. Authentication & Authorization Permissions: Read – Pull Write – Push

    Sign – content trust List – repos and tags Delete Update meta-data – expiration date Authentication: Username/Password? 2FA Token Certificate Time based Revocable? Users Services Provide the least permissions required to get the job done. • Runtime clusters should only be able to pull • CI Systems should be able to push • Teams & clusters should have different permissions • Who can sign images? Require the most stringent authentication • Users – 2fa • Services – rotatable, 
 revocable, time-based tokens
  5. Are Your Base Artifacts Secure? demo42.azurecr.io Task 
 Image Validation

    dev helloworld digest: 91e base-artifacts java dotnet faclon-team warriors- team wordpress node java dotnet wordpress MCR Private Registry acr, ecr, gcr, dtr, harbor, jfrog, … Public Registrie s Your Environment aws, azure, google, on-prem, … Public Internet Docker Hub node ACR Tasks .NET Images Secure? SCC Source Code ControL FROM demo42.azurecr.io/base-artifacts/dotnet/core/runtime: 2.1.10 AS base WORKDIR /app 
 
 FROM demo42.azurecr.io/base-artifacts/dotnet/core/sdk:2.1 AS build WORKDIR /src COPY src/Important/Important.csproj src/Important/ RUN dotnet restore src/Important/Important.csproj COPY . . WORKDIR /src/src/Important RUN dotnet build Important.csproj -c Release -o /app 
 FROM build AS publish RUN dotnet publish Important.csproj -c Release -o /app 
 FROM base AS final WORKDIR /app COPY --from=publish /app . ENV VERSION=0.0.25 ENTRYPOINT ["dotnet", "Important.dll"] Red Hat gcr gpr FROM microsoft/dotnet/core/runtime:2.1.10 AS base WORKDIR /app 
 
 FROM microsoft/dotnet/core/sdk:2.1 AS build WORKDIR /src COPY src/Important/Important.csproj src/Important/ RUN dotnet restore src/Important/Important.csproj COPY . . WORKDIR /src/src/Important RUN dotnet build Important.csproj -c Release -o /app 
 FROM build AS publish RUN dotnet publish Important.csproj -c Release -o /app 
 FROM base AS final WORKDIR /app COPY --from=publish /app . ENV VERSION=0.0.25 ENTRYPOINT ["dotnet", "Important.dll"] FROM mcr.microsoft.com/dotnet/core/runtime:2.1.10 AS base FROM mcr.microsoft.com/dotnet/core/sdk:2.1 AS build
  6. Demo Base Artifact Updates demo42.azurecr.io Task 
 Image Validation base-artifacts

    java dotnet wordpress node java dotnet wordpress Private Registry Your Environment Public Internet node ACR Tasks demo42.azurecr.io/hub MCR Public Registrie s Docker Hub dev faclon-team warriors- team SCC Source Code ControL
  7. ACR Tasks
 
 A primitive of container 
 lifecycle management

    Build, Patch, Manage Container Artifacts aka.ms/acr/tasks
  8. OCI Artifacts Virtual Build &
 Test Environment Build, Test, Deploy

    Azure Container Registry Docker Hub Microsoft Container Registry Config Secrets Staging Prod Azure DevSpaces git commit CD
 Deployments Unit
 Testing Functional
 Testing Helm Chart, CNAB Deployments triggered on artifact availability Dev Inner-Loop Code Run Validate Debug SCC Source Code ControL CI Build, Unit & Integration Testing Staging/Prod Registry ACR
 Tasks Artifact 
 Security Scanning
  9. Virtual Build &
 Test Environment Dev Registry Azure Container Registry

    ACR
 Tasks Security Boundaries Azure Container Registry Docker Hub Microsoft Container Registry Config Secrets Staging Prod Azure DevSpaces git commit CD
 Deployments Dev Inner-Loop Code Run Validate Debug SCC Source Code ControL CI Build, Unit & Integration Testing Staging/Prod Registry ACR
 Tasks Rules IP: 5.5.1.2
  10. Dev Registry Azure Container Registry ACR
 Tasks Virtual Build &


    Test Environment Post Development Azure Container Registry Docker Hub Microsoft Container Registry Config Secrets Staging Prod Azure DevSpaces git commit CD
 Deployments Dev Inner-Loop Code Run Validate Debug SCC Source Code ControL CI Build, Unit & Integration Testing Staging/Prod Registry ACR
 Tasks OS & Framework Patching What happens when developers stop making code changes?
  11. Central Base Artifacts Azure Container Registry ACR
 Tasks Container Patching

    Azure Container Registry Docker Hub Microsoft Container Registry Config Secrets Staging Prod CD
 Deployments Functional
 Testing Staging/Prod Registry Unit
 Testing CI Build, Unit & Integration Testing Base Image Index SCC Source Code ControL
  12. AKS Azure virtual network Azure virtual network Public Internet Other

    Resources ACR VNet & Firewall Rules http://aka.ms/acr/vnet Node1 Node2 Node3 IP: 5.5.1.2 IP: 10.2.1.3 • Is authentication & authorization enough? • Least required privileges apply to the network as well • Registries in the Vnet • Whitelist IP ranges that should have access Rules IP: 10.2.1.3 IP: 5.5.1.2
  13. Container Registries
 Secured by Default Assuring a registry has images

    that are scanned and considered secure enough The Container Quarantine Pattern
  14. Secured By Default Tag Digest 91efj6 u82lq :1.1 Quarantin e

    Tag :1.0 e8s1f :1.2 Container Hosts Azure Container Registry Build/Push
  15. Production environments Run, Manage Container Service App Services Container Instances

    docker push acrdemos.azurecr.io/th:1.0 Release Management 1 3 4 5 6 docker pull th@sha256:91ef6 az acr policy set –n acrdemos --quarantine-remove –-image th@sha256:91ef6 az acr policy set –n acrdemos --quarantine-block –-image th@sha256:91ef6 or { "id": "0d799b14-404b-4859- b2f6-50c5ee2a2c3a", "timestamp": "2018-02-28T00:42:54.4509516Z", "action": "push-quarantined", "target": { "size": 1791, "digest": "sha256:91ef6 "length": 1791, "repository": “th", "tag": "1.0"}, "request": { "id": "978fc988-1e06-49ee- bf71-4f6e331d1591", "host": “acrdemos.azurecr.io", "method": "PUT"} } Azure Container Registry 2 { "id": "0d799b14-404b-4859- b2f6-50c5ee2a2c3a", "timestamp": "2018-02-28T00:42:56.4509516Z", "action": "push", "target": { "size": 1791, "digest": "sha256:91ef6 "length": 1791, "repository": “th", "tag": "1.0"}, "request": { "id": "978fc988-1e06-49ee- bf71-4f6e331d1591", "host": “acrdemos.azurecr.io", "method": "PUT"} } Tag Digest 91efj6 u82lq e8s1f :1.1 Quarantine Tag :1.0 :1.0 3r2s7 :1.0 • Lock down images that are vulnerable • Secure registries by default • Protect unprotected nodes – like developers
  16. ACR Content Trust • Content Trust Preview added September ’18,

    now GA • Images signed at the source, stored in ACR, validated on the client api Images Signatures ☑ Content Trust Enabled, api acr docker push docker pull • Content Trust based on the source, not the actual content • We need a signing of actual content solution • Some work in progress
  17. Policy & User Experience KEEP US SECURE Lock Doors 


    Upon Leaving • Engage the good people to help with policy • Make it easy to do the right thing • …difficult to do the wrong thing
  18. Wrapping up • Security isn’t just one thing • Predict

    what’s possible, not just what’s happened • Apply minimal privileges and access, balancing users needs • Protect from the bad people, enable the good people • Don’t wait for the aftermath cleanup • Enforce policy for where to pull images from • Scan & secure base images • Scan & secure your images • Secure nodes • Keep scanning images for new vulnerabilities • Monitor network traffic, not just static images
  19. Thank You Steve Lasker Program Manager Azure Container Registries [email protected]

    @SteveLasker SteveLasker.blog github.com/SteveLasker github.com/SteveLasker/ presentations • ACR Tasks aka.ms/acr/tasks • ACR Import aka.ms/acr/import • ACR Links aka.ms/acr/links • Presentations aka.ms/acr/presentations • Quarantine Pattern aka.ms/acr/Quarantine • Choosing a Registry stevelasker.blog