Rootless, Reproducible, and Hermetic: Secure Container Build Showdown - Andrew Martin, Control Plane

preview_player
Показать описание


Rootless, Reproducible, and Hermetic: Secure Container Build Showdown - Andrew Martin, Control Plane

Rootless container image builds (as distinct from rootless runtimes) have crept ever closer with orca-build, BuildKit, and img proving the concept. And they are desperately needed: a build pipeline with an exposed Docker socket can be used by an attacker to escalate privilege - and is probably a backdoor into most Kubernetes-based CI build farms. With a slew of new rootless tooling emerging including Red Hat’s buildah, Google’s Kaniko, and Uber’s Makisu, will we see build systems that can securely build untrusted Dockerfiles? How are traditional build and packaging requirements like reproducibility or hermetic isolation being approached? In this talk we: - Compare the strengths and weaknesses of modern container image build tools - Explore the safety of untrusted image builds - Live demo attacking container build pipelines - Chart the history and future of container image build tooling

  1. CNCF [Cloud Native Computing Foundation]
Рекомендации по теме
Rootless, Reproducible, and 0:29:37

Rootless, Reproducible, and Hermetic: Secure Container Build Showdown - Andrew Martin, Control Plane

Rootless, Reproducible & 0:35:51

Rootless, Reproducible & Hermetic: Secure Container Build Showdown

Reproducible builds with 0:25:32

Reproducible builds with Bazel

Rootless Kubernetes Running 0:20:10

Rootless Kubernetes Running Kubernetes and CRI/OCI Runtimes as an unprivileged user

'Rootless containers with 0:19:20

'Rootless containers with Podman' - Steven Ellis (LCA 2021 Online)

The Route To 0:38:34

The Route To Rootless Containers - Claudia Beresford & Ed King, Pivotal

Binary Reproducible Builds 0:42:26

Binary Reproducible Builds with Docker - Mike Long

Going Rootless: How 0:27:09

Going Rootless: How Gitpod secured multi-tenant Kubernetes workspaces - Christian Weichel, Gitpod

Hardening Docker daemon 0:39:50

Hardening Docker daemon with Rootless mode

Reproducible Development and 0:37:24

Reproducible Development and Deployment with Bazel and Telepresence - Christian Roggia

Learn How to 0:59:38

Learn How to Use Bazel for Hermetic Repeatable Cloud-Native Applications Builds

Rootless Containers with 0:21:14

Rootless Containers with runC - Aleksa Sarai (SUSE)

Hermetic builds with 0:16:04

Hermetic builds with Bazel - Matthias Männich

Rootless Container Image 0:03:41

Rootless Container Image Builds (with Buildah)

podman rootless systemd 0:05:15

podman rootless systemd

OpenFaaS Cloud Builder 0:08:12

OpenFaaS Cloud Builder for Kubernetes w/ Buildkit

MoneroKon 2019 - 0:27:32

MoneroKon 2019 - Achieving Secure Deployment of High-Stakes Software (Sebastian Kung)

CN-Series Snippet 1: 0:03:07

CN-Series Snippet 1: Container Security Risks

Docker containers security: 0:14:47

Docker containers security: Limiting risk by narrowing exposure within username space

Andrew Martin - 0:31:41

Andrew Martin - Meteor-Proof Infrastructure: Reproducible Environments with Container Build Images

Reproducibility in Computational 1:13:11

Reproducibility in Computational Research

Eric Myhre: Build 0:47:12

Eric Myhre: Build Anything with Warpforge -- Reproducibly, Decentralized, With Friends

Reproducibility of CAE-computations 0:38:40

Reproducibility of CAE-computations through Immutable Application Containers

This Year, It’s 0:50:17

This Year, It’s About Security - Maya Kaczorowski & Brandon Baker, Google

Комментарии
Автор

For those giving up on video due to bad audio - it gets better at 6:33

hiprabhat