Continuous Security with Kubernetes

A DevOps State of Mind: Continuous Security with Kubernetes Presented by: Chris Van Tuin - Red Hat - Chief Technologist (cvantuin#@redhet.com)

When it comes to adopting containers in the enterprise, Security is the highest adoption barrier. Is your organization ready to address the security risks with containers for your DevOps environment? In this presentation, you'll learn about best practices for: Addressing the top container security risks in a container environment including images, builds, registry, deployment, hosts, network, storage, APIs, monitoring & logging, and federation. -Integrating continuous security for containers in the CI/CD pipeline -Deployment strategies for deploying container security updates including recreate, rolling, blue/green, canary and a/b testing.

Talk notes

# DevSecOps - OpenScap - Blue / Red deployments - Selinux: mandatory access controls.(many linux admins / dev turn this off) - Selinux and Linux Capabilities (300 system calls) - Read only mounts # Container host security - Don't run as root (run as unprivileged) - Network policy: all pods in namespace 'project' - Network Namespace provides isolation.

# Monitoring Considerations - Monitor for container native metrics kublet:cAdvisor - Istio, prometheous, grafina (on is an Uber tool)