Base and Parent Image Type Description Base Image A base image has FROM scratch in its Dockerfile. Parent Image A parent image is the image that your image is based on. It refers to the contents of the FROM directive in the Dockerfile. Base Image Choose Rules Authenticity Authenticity Check OFFICIAL IMAGE on docker hub. Up-to-date Up-to-date Check update time on docker hub. Slim and Minimal Image Only install necessary packages Remove Shells, Package Managers, Tools Maintain images for each environment Development - Including debug tools Production - Lean Use multi-stage builds to create lean production ready images Distroless Docker Images Contains Application Runtime Dependencies Not Contains Package Managers Shells Network Tools Text Editors etc Vulnerability Scanning 1 trivy image httpd 1 trivy image httpd:alpine

mTLS(Mutual Transport Layer Security) mTLS Typically, almost web services are using one way TLS. mTLS is for authentication both server and client. It’s one of the way Mutual Authentication In Kubernetes mTLS is using for communicating between PODs. Sidecar Pattern Sidecar Pattern Let’s assume there’s a container, and we call it AppContainer. The AppContainer is for only application. In AppContainer doesn’t have any other process like log, monitor, etc. If you want to add process like that, it affects to application running.

Container Runtime Handlers Runtime Handler gVisor runsc Kata kata gVisor gvisor.yaml 1 2 3 4 5 apiVersion: node.k8s.io/v1beta1 kind: RuntimeClass metadata: name: gvisor handler: runsc Create a RuntimeClass 1 kubectl create -f gvisor.yaml Kata kata.yaml 1 2 3 4 5 apiVersion: node.k8s.io/v1beta1 kind: RuntimeClass metadata: name: kata handler: kata Create a RuntimeClass 1 kubectl create -f gvisor.yaml Apply to POD gVisor POD 1 2 3 4 5 6 7 8 9 10 11 apiVersion: v1 kind: Pod metadata: labels: run: nginx name: nginx spec: runtimeClassName: gvisor containers: - image: nginx name: nginx Kata POD 1 2 3 4 5 6 7 8 9 10 11 apiVersion: v1 kind: Pod metadata: labels: run: nginx name: nginx spec: runtimeClassName: kata containers: - image: nginx name: nginx Check Container Runtime Connect to the Node 1 ssh node01 Grep Process 1 pgrep -a nginx 1 pgrep -a runsc 1 pgrep -a kata

Docker Container Runtime runC 1 docker run -d nginx Kata Containers 1 docker run --runtime kata -d nginx gVisor 1 docekr run --runtime runsc -d nginx

Docker Vulnerable Docker Vulnerable Typically, Docker that is like normally container model has a problem that the container is sharing with host kernel. The cracker can conquer the host system by privilege escalating. The privilege escalating is prevented by SELinux or container policies, but it’s not perfect. So we need to boxing the containers. gVisor gVisor gVisor is an application kernel, written in Go, that implements a substantial portion of the Linux system surface.

OPA in Kubernetes OPA in Kubernetes The OPA in Kubernetes is using ValidatingAdmissionWebhook of admission controllers. Create a ConfigMap for OPA untrusted-registry.rego 1 2 3 4 5 6 7 8 package kubernetes.admission deny[msg] { input.request.kind.kind == "Pod" image := input.request.object.spec.containers[_].image not startswith(image, "hooli.com/") msg := sprintf("image '%v' comes from untrusted registry", [image]) } Command 1 kubectl create cm untrusted-registry --from-file=untrusted-registry.rego