SlideShare una empresa de Scribd logo

Dev opsec dockerimage_patch_n_lifecyclemanagement_

Descargar como PPTX, PDF
kanedafromparis
kanedafromparis

Lors de cette présentation, nous allons dans un premier temps rappeler la spécificité de docker par rapport à une VM (PID, cgroups, etc) parler du système de layer et de la différence entre images et instances puis nous présenterons succinctement kubernetes. Ensuite, nous présenterons un processus « standard » de propagation d’une version CI/CD (développement, préproduction, production) à travers les tags docker. Enfin, nous parlerons des différents composants constituant une application docker (base-image, tooling, librairie, code). Une fois cette introduction réalisée, nous parlerons du cycle de vie d’une application à travers ses phases de développement, BAU pour mettre en avant que les failles de sécurité en période de développement sont rapidement corrigées par de nouvelles releases, mais pas nécessairement en BAU où les releases sont plus rares. Nous parlerons des diverses solutions (jfrog Xray, clair, …) pour le suivie des automatique des CVE et l’automatisation des mises à jour. Enfin, nous ferons un bref retour d’expérience pour parler des difficultés rencontrées et des propositions d’organisation mises en oeuvre. Cette présentation bien qu’illustrée par des implémentations techniques est principalement organisationnelle.

Tecnología
1 de 50
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 DevSecOps Container Image : “Application LifeCycle Management” sed /sLifeCycle/Patch/g netsecure-day.fr 2018/12/13
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Moi : Charles Sabourdin Javaiste Linuxien Devoxx France ParisJUG OpenSource Architect Dev/Ops @kanedafromparis https://github.com/kanedafromparis/ https://github.com/kanedafromparis - 45:00
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Sommaire I. Reminder A. Docker 1. intro 2. isolation 3. layers B. Kubernetes 1. generic 2. deployment C. Development pipeline (security focus) II. Application life cycle A. Scanning tools B. Too much technos III. Proposed solution A. 1,2,3 Hosting B. Pitfalls
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Engine uses namespaces such as the following on Linux: ● The pid namespace: Process isolation (PID: Process ID). ● The net namespace: Managing network interfaces (NET: Networking). ● The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication). ● The mnt namespace: Managing filesystem mount points (MNT: Mount). ● The uts namespace: Isolating kernel and version identifiers. (UTS: Unix Timesharing System). Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. I. Reminder : Docker sources : https://docs.docker.com/engine/docker-overview/#the-underlying-technology https://en.wikipedia.org/wiki/Linux_kernel
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Control groups Docker Engine on Linux also relies on another technology called control groups (cgroups). A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints. For example, you can limit the memory available to a specific container. Union file systems Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper. Container format Docker Engine combines the namespaces, control groups, and UnionFS into a wrapper called a container format. The default container format is libcontainer. In the future, Docker may support other container formats by integrating with technologies such as BSD Jails or Solaris Zones. Isolation I. Reminder : Docker sources : https://docs.docker.com/engine/docker-overview/#the-underlying-technology https://en.wikipedia.org/wiki/Cgroups
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Union file systems (again) Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper. Container format A Docker image is built up from a series of layers. Each layer represents an instruction in the image’s Dockerfile. Each layer except the very last one is read-only. Each layer is only a set of differences from the layer before it. The layers are stacked on top of each other. When you create a new container, you add a new writable layer on top of the underlying layers. This layer is often called the “container layer”. All changes made to the running container, such as writing new files, modifying existing files, and deleting files, are written to this thin writable container layer. Layers I. Reminder : Docker sources : https://docs.docker.com/storage/storagedriver/#images-and-layers
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Breadcrumb Operating System Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Operating System (Docker Image) I. Reminder : Docker
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring boot Operating System App lib 2 App 2 I. Reminder : Docker
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Images A recipe or template for creating Docker containers. It includes the steps for installing and running the necessary software Docker Container Like a tiny virtual machine that is created from the instructions found within the Docker image Docker Client Command-line utility or other tool that takes advantage of the Docker API (docs.docker.com/ reference/api/docker_remote_api) to communicate with a Docker daemon Glossary I. Reminder : Docker sources : https://docs.docker.com/glossary/ https://dzone.com/refcardz/getting-started-with-docker-1 Docker Host A physical or virtual machine that is running a Docker daemon and contains cached images as well as runnable containers created from images Docker Registry A repository of Docker images that can be used to create Docker containers. Docker Hub (hub.docker.com) is the most popular social example of a Docker repository.
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 ● Agile application creation and deployment: Increased ease and efficiency of container image creation compared to VM image use. ● Continuous development, integration, and deployment ● Dev and Ops separation of concerns ● Environmental consistency across development, testing, and production ● Application-centric management: Raises the level of abstraction from running an OS on virtual hardware to running an application on an OS using logical resources. ● Loosely coupled, distributed, elastic, liberated micro-services ● Resource isolation: Predictable application performance. ● Resource utilization: High efficiency and density. Kubernetes is a portable, extensible open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. Kubernetes I. Reminder : Kubernetes sources : https://kubernetes.io/docs/concepts/architecture/cloud-controller/ https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Master The machine that controls Kubernetes nodes. This is where all task assignments originate. Node These machines perform the requested, assigned tasks. The Kubernetes master controls them. Pod A group of one or more containers deployed to a single node. All containers in a pod share an IP address, IPC, hostname, and other resources. Pods abstract network and storage away from the underlying container. This lets you move containers around the cluster more easily. Kubelet This service runs on nodes and reads the container manifests and ensures the defined containers are started and running. Glossary I. Reminder : Kubernetes sources : https://www.redhat.com/en/topics/containers/what-is-kubernetes Replication controller This controls how many identical copies of a pod should be running somewhere on the cluster. Service This decouples work definitions from the pods. Kubernetes service proxies automatically get service requests to the right pod—no matter where it moves to in the cluster or even if it’s been replaced.
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 A container is an instanciate executable isolated process A container repository is a library of image. A Kubernetes Pod (PO) is a group of one or more containers. A service (SVC) is named mapping to pod Object I. Reminder : Kubernetes sources : https://github.com/kanedafromparisfriends/icones_ocp_kube A ReplicatSet (RS) create and maintain the pod declaration that will instantiate pods replica (docker images) that will provide services. A Deployment (Deploy) create the ReplicatSet that will provide services. Persistent Volume (PV) is a piece of networked storage in the cluster. Persistent Volume Claim (PVC) is a reservation of a Persistent Volume into a namespace / project ...
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 The following are typical use cases for Deployments: ● Create a Deployment to rollout a ReplicaSet. The ReplicaSet creates Pods in the background. Check the status of the rollout to see if it succeeds or not. ● Declare the new state of the Pods by updating the PodTemplateSpec of the Deployment. A new ReplicaSet is created and the Deployment manages moving the Pods from the old ReplicaSet to the new one at a controlled rate. Each new ReplicaSet updates the revision of the Deployment. Deployment I. Reminder : Kubernetes sources : https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ ● Rollback to an earlier Deployment revision if the current state of the Deployment is not stable. Each rollback updates the revision of the Deployment. ● Scale up the Deployment to facilitate more load. ● Pause the Deployment to apply multiple fixes to its PodTemplateSpec and then resume it to start a new rollout. ● Use the status of the Deployment as an indicator that a rollout has stuck. ● Clean up older ReplicaSets that you don’t need anymore.
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 En pratique (et Yaml) I. Reminder : Kubernetes apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "3" kubernetes.io/change-cause: "blabla..." creationTimestamp: 2018-01-27T18:17:26Z generation: 5 labels: run: logversion name: logversion spec: minReadySeconds: 15 progressDeadlineSeconds: 300 replicas: 3 selector: matchLabels: run: logversion strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate ... template: metadata: creationTimestamp: null labels: run: resourcesmonger spec: containers: - image: https://myregistry.org/kanedafromparis/logversion:3.1 imagePullPolicy: IfNotPresent name: logversion ports: - containerPort: 8080 protocol: TCP resources: ... livenessProb ... terminationMessagePath: /dev/termination-log terminationMessagePolicy: File ...
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y Docker Image kubelet I. Reminder : Kubernetes
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Dev Local Developper need to develop project on it,s local machine (unit test, debug, etc…) Dev on cluster In order to check some integration issue, Dev can develop into a dedicated namespace. This namespace can host component and resources identical to production CI on cluster Automated build/test system (Jenkins) catch commit in order to build the future docker artifact(s) that will be propagated to the QA namespaces QA on cluster Automated test are executed on a dedicated namespaces Staging on cluster (optional) A referential namespace can be used for load testing, human validation and pre- visualisation Production on cluster A production namespace host the project with the necessary security constraintes s/Development/Deployment/g pipeline I. Reminder : Development pipeline sources : Containerizing Continuous Delivery in Java by Daniel Bryant
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 SonarQube® is an automatic code review tool to detect bugs, vulnerabilities and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests. Continuous Inspection SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality systematically. Detect Tricky Issues Our code analyzers are equipped with powerful path sensitive dataflow engines to detect tricky issues such as null-pointers dereferences, logic errors, resource leaks.. Centralize Quality One place to provide a shared vision of code quality for developers, tech leads, managers and executives in charge of a few to a few thousands projects and also to act as a toll gate for application promotion or release QA : Exemple SonarQube I. Reminder : Development pipeline sources : https://www.sonarqube.org/
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Some of ZAP's functionality: ● Man-in-the-middle Proxy ● Traditional and AJAX spiders ● Automated scanner ● Passive scanner ● Forced browsing ● Fuzzer ● Dynamic SSL certificates ● Smartcard and Client Digital Certificates support ● Web sockets support ● Support for a wide range of scripting languages ● Plug-n-Hack support ● Authentication and session support ● Powerful REST based API ● Automatic updating option ● Integrated and growing marketplace of add-ons QA : Example ZappProxy I. Reminder : Development pipeline sources : https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Functionality
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Continuous Integration the practice of frequently integrating one's new or changed code with the existing code repository – should occur frequently enough that no intervening window remains between commit and build, and such that no errors can arise without developers noticing them and correcting them immediately. Notice : Maturity level I. Reminder : Development pipeline sources : DevOps with OpenShift by Stefano Picozzi, Mike Hepburn, and Noel O’Connor https://en.wikipedia.org/wiki/Continuous_delivery, https://en.wikipedia.org/wiki/Continuous_deployment, https://en.wikipedia.org/wiki/Continuous_integration Continuous delivery (CDE) A software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time and, when releasing the software, doing so manually. Continuous deployment (CD) A software engineering approach in which software functionalities are delivered frequently through automated deployments. - 30:00
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 DEV (NS) Digression: version tag versus purpose tag I. Reminder : Kubernetes img:1.2.1 QA (NS) STG (NS) PROD (NS) img:1.2.0 img:1.1.1 img:1.1.1 DEV (NS) img:dev QA (NS) STG (NS) PROD (NS) img:qa img:stg img:prod imagePullPolicy: Always
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Sommaire I. Reminder A. Docker 1. intro 2. isolation 3. layers B. Kubernetes 1. generic 2. deployment C. Development pipeline (security focus) II. Application life cycle A. Scanning tools B. Too much technos III. Proposed solution A. 1,2,3 Hosting B. Pitfalls
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 sources : https://devops.com.vn/2018/117/ Application lifecycle (example) II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle (example) sources : https://www.lemondeinformatique.fr/actualites/lire-atlassian-fait-pousser-ses-offres-devops-68588.html II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 CVE happens II. Application life cycle sources : https://www.cvedetails.com/
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 CVE happens II. Application life cycle sources : https://www.cvedetails.com/
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 CVE happens II. Application life cycle sources : https://www.cvedetails.com/
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle (example) 3 years Lifecycle of a website application (example) Patch II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle Feature developpement through application configuration or coding is only a phase of the Application life cycle. This phase can be a big or a small part of the application life. Several phase are also necessary within the application lifecycle : - Feature development with testing and validation This phase can happen several time during the application life. - Deployment This phase can happen several time during the application life. - Security update This phase can happen several time during the application life. - Decommission This phase should only happen once. The manpower necessary for any of theses phases vary a lot. Depending of the complexity of the application, the disponibility of the knowledgeable parties, the level of automatisation This is why an application need to have a application owner accountable over the entire application lifecycle. II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Scan tools: downstream / upstream Security tools can give you inside knowledge of your image and potential security vulnerability Most are hook on you registry or can have local agent that will highlight most of you CVE issue. Usually they scan package (.rpm, .deb, .apk,...) but not tar.gz and mostly not application library. II. Application life cycle They can have various trigger and can set various trigger - email alert - automatic rebuild - block pull - ...
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Docker Image Breadcump Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y Docker Image kubelet Detected by most vulnerability scanner Often out of scope II. Application life cycle - 20:00
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : PHP PHP Component ● httpd ● nginx ● composer ● symphony ● drupal ● wordpress ● PhpUnit II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : Java Java ● openjdk ● oraclejdk ● azul ● ant ● maven ● graddle ● spring boot ● vert-x ● war+tomat ● war+tomEE ● ear+tomEE ● ... II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : nodejs Nodejs ● v8 ● deno ● npm ● webpack ● bower ● espress.js ● mongoose ● lodash ● Jest ● phatomejs ● chomium ● ... II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : Scala Sacla ● sbt ● … ● Play ● Sparks ● ... II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 It can rapidly became unmanageable II. Application life cycle
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Sommaire I. Reminder A. Docker 1. intro 2. isolation 3. layers B. Kubernetes 1. generic 2. deployment C. Development pipeline (security focus) II. Application life cycle A. Scanning tools B. Too much technos III. Proposed solution A. 1,2,3 Hosting B. Pitfalls
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y Docker Image kubelet Usually ops scope Usually Dev scop III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Base image : A transition image destined to process program code in order to create an application image. Application image : An image use into kubernetes that provide the custom service developed by the company. It can came from a base image or a custom dockerfile. Proposed vocabulary Still image : An image used into kubernetes cluster with only configuration adaptation. A still image is based on non-internal source code or binaries. III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y III. Proposed solution BaseImage ApplicationImage StillImage
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 1,2,3 hosting III. Proposed solution 1 : Project will use Dockerfile using our base image & still image proposed and maintain by the host team (ops)
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 1,2,3 hosting 1 : Project will use Dockerfile using our base image & still image proposed and maintain by the host team (ops) 2 : Project will use its own Dockerfile but will be in charge of maintenance (specially security) III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 1,2,3 hosting 1 : Project will use Dockerfile using our base image & still image proposed and maintain by the host team (ops) 2 : Project will use its own Dockerfile but will be in charge of maintenance (specially security) 3 : Project will use third parties image (signed image) III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls III. Proposed solution - 10:00
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) ● Build to Prod (no test) III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) ● Build to Prod (no test) ● Too many version, too many variante III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) ● Build to Prod (no test) ● Too many version, too many variante ● Lack of management support / acceptance in rules enforcement III. Proposed solution
Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Thank you ● Questions ? III. Proposed solution - 00:00

Recomendados

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
An introduction to k8 s.pptx
An introduction to k8 s.pptxAn introduction to k8 s.pptx
An introduction to k8 s.pptx
Gerhard Schweinitz
 
Docker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopDocker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshop
Sathish VJ
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Kubernetes 101 - A Cluster Operating System
Kubernetes 101 - A Cluster Operating SystemKubernetes 101 - A Cluster Operating System
Kubernetes 101 - A Cluster Operating System
mikaelbarbero
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Meiyappan Kannappa
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Helder Klemp
 

Recomendados

An Introduction to Kubernetes
An Introduction to KubernetesAn Introduction to Kubernetes
An Introduction to Kubernetes
Imesh Gunaratne
 
An introduction to k8 s.pptx
An introduction to k8 s.pptxAn introduction to k8 s.pptx
An introduction to k8 s.pptx
Gerhard Schweinitz
 
Docker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshopDocker and Kubernetes 101 workshop
Docker and Kubernetes 101 workshop
Sathish VJ
 
Container Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're GoingContainer Security: How We Got Here and Where We're Going
Container Security: How We Got Here and Where We're Going
Phil Estes
 
Kubernetes 101 - A Cluster Operating System
Kubernetes 101 - A Cluster Operating SystemKubernetes 101 - A Cluster Operating System
Kubernetes 101 - A Cluster Operating System
mikaelbarbero
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Meiyappan Kannappa
 
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker SecurityTokyo OpenStack Summit 2015: Unraveling Docker Security
Tokyo OpenStack Summit 2015: Unraveling Docker Security
Phil Estes
 
Introduction to kubernetes
Introduction to kubernetesIntroduction to kubernetes
Introduction to kubernetes
Helder Klemp
 
Docker 101 Checonf 2016
Docker 101 Checonf 2016Docker 101 Checonf 2016
Docker 101 Checonf 2016
Patrick Chanezon
 
Docker & kubernetes
Docker & kubernetesDocker & kubernetes
Docker & kubernetes
NexThoughts Technologies
 
Docker for any type of workload and any IT Infrastructure
Docker for any type of workload and any IT InfrastructureDocker for any type of workload and any IT Infrastructure
Docker for any type of workload and any IT Infrastructure
Docker, Inc.
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
Docker, Inc.
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Michael O'Sullivan
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
Dr Ganesh Iyer
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
Phil Estes
 
Docker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupDocker and OpenStack Boston Meetup
Docker and OpenStack Boston Meetup
Kamesh Pemmaraju
 
OSS Japan 2019 service mesh bridging Kubernetes and legacy
OSS Japan 2019 service mesh bridging Kubernetes and legacyOSS Japan 2019 service mesh bridging Kubernetes and legacy
OSS Japan 2019 service mesh bridging Kubernetes and legacy
Steve Wong
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Cristian Consonni
 
Docker Presentation
Docker PresentationDocker Presentation
Docker Presentation
Adhoura Academy
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
Sparkbit
 
Docker open stack boston
Docker open stack bostonDocker open stack boston
Docker open stack boston
dotCloud
 
Webinar container management in OpenStack
Webinar container management in OpenStackWebinar container management in OpenStack
Webinar container management in OpenStack
CREATE-NET
 
Docker, Kubernetes, and Google Cloud
Docker, Kubernetes, and Google CloudDocker, Kubernetes, and Google Cloud
Docker, Kubernetes, and Google Cloud
Samuel Chow
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
Layne Peng
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
Dongwon Kim
 
Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019
Steve Wong
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzureDevoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Patrick Chanezon
 
Introduction to Microservices with Docker and Kubernetes
Introduction to Microservices with Docker and KubernetesIntroduction to Microservices with Docker and Kubernetes
Introduction to Microservices with Docker and Kubernetes
David Charles
 
Docker Application to Scientific Computing
Docker Application to Scientific ComputingDocker Application to Scientific Computing
Docker Application to Scientific Computing
Peter Bryzgalov
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
kanedafromparis
 

Más contenido relacionado

La actualidad más candente

runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
Docker, Inc.
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Michael O'Sullivan
 
Docker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupDocker and OpenStack Boston Meetup
Docker and OpenStack Boston Meetup
Kamesh Pemmaraju
 

La actualidad más candente (20)

Docker 101 Checonf 2016
Docker 101 Checonf 2016Docker 101 Checonf 2016
Docker 101 Checonf 2016
 
Docker & kubernetes
Docker & kubernetesDocker & kubernetes
Docker & kubernetes
 
Docker for any type of workload and any IT Infrastructure
Docker for any type of workload and any IT InfrastructureDocker for any type of workload and any IT Infrastructure
Docker for any type of workload and any IT Infrastructure
 
runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...runC: The little engine that could (run Docker containers) by Docker Captain ...
runC: The little engine that could (run Docker containers) by Docker Captain ...
 
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration PlatformKubernetes: An Introduction to the Open Source Container Orchestration Platform
Kubernetes: An Introduction to the Open Source Container Orchestration Platform
 
Dockers and kubernetes
Dockers and kubernetesDockers and kubernetes
Dockers and kubernetes
 
Container Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's EnginesContainer Runtimes: Comparing and Contrasting Today's Engines
Container Runtimes: Comparing and Contrasting Today's Engines
 
Docker and OpenStack Boston Meetup
Docker and OpenStack Boston MeetupDocker and OpenStack Boston Meetup
Docker and OpenStack Boston Meetup
 
OSS Japan 2019 service mesh bridging Kubernetes and legacy
OSS Japan 2019 service mesh bridging Kubernetes and legacyOSS Japan 2019 service mesh bridging Kubernetes and legacy
OSS Japan 2019 service mesh bridging Kubernetes and legacy
 
Introdution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrentoIntrodution to Docker (theory and hands on) dbCafé - dbTrento
Introdution to Docker (theory and hands on) dbCafé - dbTrento
 
Docker Presentation
Docker PresentationDocker Presentation
Docker Presentation
 
Kubernetes - introduction
Kubernetes - introductionKubernetes - introduction
Kubernetes - introduction
 
Docker open stack boston
Docker open stack bostonDocker open stack boston
Docker open stack boston
 
Webinar container management in OpenStack
Webinar container management in OpenStackWebinar container management in OpenStack
Webinar container management in OpenStack
 
Docker, Kubernetes, and Google Cloud
Docker, Kubernetes, and Google CloudDocker, Kubernetes, and Google Cloud
Docker, Kubernetes, and Google Cloud
 
Docker introduction
Docker introductionDocker introduction
Docker introduction
 
Docker and kubernetes
Docker and kubernetesDocker and kubernetes
Docker and kubernetes
 
Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019Why you need a private container image registry SCALE 2019
Why you need a private container image registry SCALE 2019
 
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on AzureDevoxx France 2015 - The Docker Orchestration Ecosystem on Azure
Devoxx France 2015 - The Docker Orchestration Ecosystem on Azure
 
Introduction to Microservices with Docker and Kubernetes
Introduction to Microservices with Docker and KubernetesIntroduction to Microservices with Docker and Kubernetes
Introduction to Microservices with Docker and Kubernetes
 

Similar a Dev opsec dockerimage_patch_n_lifecyclemanagement_

Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
kanedafromparis
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
WSO2
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtime
Docker, Inc.
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
WSO2
 

Similar a Dev opsec dockerimage_patch_n_lifecyclemanagement_ (20)

Docker Application to Scientific Computing
Docker Application to Scientific ComputingDocker Application to Scientific Computing
Docker Application to Scientific Computing
 
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
Dev opsec dockerimage_patch_n_lifecyclemanagement_2019
 
Evolution of containers to kubernetes
Evolution of containers to kubernetesEvolution of containers to kubernetes
Evolution of containers to kubernetes
 
Docker Kubernetes Istio
Docker Kubernetes IstioDocker Kubernetes Istio
Docker Kubernetes Istio
 
Accelerate your development with Docker
Accelerate your development with DockerAccelerate your development with Docker
Accelerate your development with Docker
 
Accelerate your software development with Docker
Accelerate your software development with DockerAccelerate your software development with Docker
Accelerate your software development with Docker
 
Revolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualizationRevolutionizing the cloud with container virtualization
Revolutionizing the cloud with container virtualization
 
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
Why everyone is excited about Docker (and you should too...) - Carlo Bonamic...
 
containerd the universal container runtime
containerd the universal container runtimecontainerd the universal container runtime
containerd the universal container runtime
 
IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017IBM MQ in containers MQTC 2017
IBM MQ in containers MQTC 2017
 
Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017Moby Open Source Summit North America 2017
Moby Open Source Summit North America 2017
 
Evolution of Linux Containerization
Evolution of Linux Containerization Evolution of Linux Containerization
Evolution of Linux Containerization
 
Evoluation of Linux Container Virtualization
Evoluation of Linux Container VirtualizationEvoluation of Linux Container Virtualization
Evoluation of Linux Container Virtualization
 
Docker dev ops for cd meetup 12-14
Docker dev ops for cd meetup 12-14Docker dev ops for cd meetup 12-14
Docker dev ops for cd meetup 12-14
 
codemotion-docker-2014
codemotion-docker-2014codemotion-docker-2014
codemotion-docker-2014
 
Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.Containerize! Between Docker and Jube.
Containerize! Between Docker and Jube.
 
Kubernetes Basics
Kubernetes BasicsKubernetes Basics
Kubernetes Basics
 
BBL Premiers pas avec Docker
BBL Premiers pas avec DockerBBL Premiers pas avec Docker
BBL Premiers pas avec Docker
 
Kubernetes for the PHP developer
Kubernetes for the PHP developerKubernetes for the PHP developer
Kubernetes for the PHP developer
 
Docker Overview - Rise of the Containers
Docker Overview - Rise of the ContainersDocker Overview - Rise of the Containers
Docker Overview - Rise of the Containers
 

Más de kanedafromparis

Más de kanedafromparis (6)

DevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdfDevOpSec_DockerNPodMan-20230220.pdf
DevOpSec_DockerNPodMan-20230220.pdf
 
DevOpSec_KubernetesOperatorUsingJava.pdf
DevOpSec_KubernetesOperatorUsingJava.pdfDevOpSec_KubernetesOperatorUsingJava.pdf
DevOpSec_KubernetesOperatorUsingJava.pdf
 
Java in docker devoxx ma 2018
Java in docker devoxx ma 2018Java in docker devoxx ma 2018
Java in docker devoxx ma 2018
 
Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018Openshift meetup Paris - 21/03/2018
Openshift meetup Paris - 21/03/2018
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 
Ippevent : openshift Introduction
Ippevent : openshift IntroductionIppevent : openshift Introduction
Ippevent : openshift Introduction
 

Último

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 

Último (20)

Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Dev opsec dockerimage_patch_n_lifecyclemanagement_

  • 1. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 DevSecOps Container Image : “Application LifeCycle Management” sed /sLifeCycle/Patch/g netsecure-day.fr 2018/12/13
  • 2. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Moi : Charles Sabourdin Javaiste Linuxien Devoxx France ParisJUG OpenSource Architect Dev/Ops @kanedafromparis https://github.com/kanedafromparis/ https://github.com/kanedafromparis - 45:00
  • 3. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Sommaire I. Reminder A. Docker 1. intro 2. isolation 3. layers B. Kubernetes 1. generic 2. deployment C. Development pipeline (security focus) II. Application life cycle A. Scanning tools B. Too much technos III. Proposed solution A. 1,2,3 Hosting B. Pitfalls
  • 4. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Engine uses namespaces such as the following on Linux: ● The pid namespace: Process isolation (PID: Process ID). ● The net namespace: Managing network interfaces (NET: Networking). ● The ipc namespace: Managing access to IPC resources (IPC: InterProcess Communication). ● The mnt namespace: Managing filesystem mount points (MNT: Mount). ● The uts namespace: Isolating kernel and version identifiers. (UTS: Unix Timesharing System). Namespaces Docker uses a technology called namespaces to provide the isolated workspace called the container. When you run a container, Docker creates a set of namespaces for that container. These namespaces provide a layer of isolation. Each aspect of a container runs in a separate namespace and its access is limited to that namespace. I. Reminder : Docker sources : https://docs.docker.com/engine/docker-overview/#the-underlying-technology https://en.wikipedia.org/wiki/Linux_kernel
  • 5. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Control groups Docker Engine on Linux also relies on another technology called control groups (cgroups). A cgroup limits an application to a specific set of resources. Control groups allow Docker Engine to share available hardware resources to containers and optionally enforce limits and constraints. For example, you can limit the memory available to a specific container. Union file systems Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper. Container format Docker Engine combines the namespaces, control groups, and UnionFS into a wrapper called a container format. The default container format is libcontainer. In the future, Docker may support other container formats by integrating with technologies such as BSD Jails or Solaris Zones. Isolation I. Reminder : Docker sources : https://docs.docker.com/engine/docker-overview/#the-underlying-technology https://en.wikipedia.org/wiki/Cgroups
  • 6. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Union file systems (again) Union file systems, or UnionFS, are file systems that operate by creating layers, making them very lightweight and fast. Docker Engine uses UnionFS to provide the building blocks for containers. Docker Engine can use multiple UnionFS variants, including AUFS, btrfs, vfs, and DeviceMapper. Container format A Docker image is built up from a series of layers. Each layer represents an instruction in the image’s Dockerfile. Each layer except the very last one is read-only. Each layer is only a set of differences from the layer before it. The layers are stacked on top of each other. When you create a new container, you add a new writable layer on top of the underlying layers. This layer is often called the “container layer”. All changes made to the running container, such as writing new files, modifying existing files, and deleting files, are written to this thin writable container layer. Layers I. Reminder : Docker sources : https://docs.docker.com/storage/storagedriver/#images-and-layers
  • 7. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Breadcrumb Operating System Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Operating System (Docker Image) I. Reminder : Docker
  • 8. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring boot Operating System App lib 2 App 2 I. Reminder : Docker
  • 9. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Images A recipe or template for creating Docker containers. It includes the steps for installing and running the necessary software Docker Container Like a tiny virtual machine that is created from the instructions found within the Docker image Docker Client Command-line utility or other tool that takes advantage of the Docker API (docs.docker.com/ reference/api/docker_remote_api) to communicate with a Docker daemon Glossary I. Reminder : Docker sources : https://docs.docker.com/glossary/ https://dzone.com/refcardz/getting-started-with-docker-1 Docker Host A physical or virtual machine that is running a Docker daemon and contains cached images as well as runnable containers created from images Docker Registry A repository of Docker images that can be used to create Docker containers. Docker Hub (hub.docker.com) is the most popular social example of a Docker repository.
  • 10. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 ● Agile application creation and deployment: Increased ease and efficiency of container image creation compared to VM image use. ● Continuous development, integration, and deployment ● Dev and Ops separation of concerns ● Environmental consistency across development, testing, and production ● Application-centric management: Raises the level of abstraction from running an OS on virtual hardware to running an application on an OS using logical resources. ● Loosely coupled, distributed, elastic, liberated micro-services ● Resource isolation: Predictable application performance. ● Resource utilization: High efficiency and density. Kubernetes is a portable, extensible open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. It has a large, rapidly growing ecosystem. Kubernetes services, support, and tools are widely available. Kubernetes I. Reminder : Kubernetes sources : https://kubernetes.io/docs/concepts/architecture/cloud-controller/ https://kubernetes.io/blog/2018/07/18/11-ways-not-to-get-hacked/
  • 11. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Master The machine that controls Kubernetes nodes. This is where all task assignments originate. Node These machines perform the requested, assigned tasks. The Kubernetes master controls them. Pod A group of one or more containers deployed to a single node. All containers in a pod share an IP address, IPC, hostname, and other resources. Pods abstract network and storage away from the underlying container. This lets you move containers around the cluster more easily. Kubelet This service runs on nodes and reads the container manifests and ensures the defined containers are started and running. Glossary I. Reminder : Kubernetes sources : https://www.redhat.com/en/topics/containers/what-is-kubernetes Replication controller This controls how many identical copies of a pod should be running somewhere on the cluster. Service This decouples work definitions from the pods. Kubernetes service proxies automatically get service requests to the right pod—no matter where it moves to in the cluster or even if it’s been replaced.
  • 12. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 A container is an instanciate executable isolated process A container repository is a library of image. A Kubernetes Pod (PO) is a group of one or more containers. A service (SVC) is named mapping to pod Object I. Reminder : Kubernetes sources : https://github.com/kanedafromparisfriends/icones_ocp_kube A ReplicatSet (RS) create and maintain the pod declaration that will instantiate pods replica (docker images) that will provide services. A Deployment (Deploy) create the ReplicatSet that will provide services. Persistent Volume (PV) is a piece of networked storage in the cluster. Persistent Volume Claim (PVC) is a reservation of a Persistent Volume into a namespace / project ...
  • 13. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 The following are typical use cases for Deployments: ● Create a Deployment to rollout a ReplicaSet. The ReplicaSet creates Pods in the background. Check the status of the rollout to see if it succeeds or not. ● Declare the new state of the Pods by updating the PodTemplateSpec of the Deployment. A new ReplicaSet is created and the Deployment manages moving the Pods from the old ReplicaSet to the new one at a controlled rate. Each new ReplicaSet updates the revision of the Deployment. Deployment I. Reminder : Kubernetes sources : https://kubernetes.io/docs/concepts/workloads/controllers/deployment/ ● Rollback to an earlier Deployment revision if the current state of the Deployment is not stable. Each rollback updates the revision of the Deployment. ● Scale up the Deployment to facilitate more load. ● Pause the Deployment to apply multiple fixes to its PodTemplateSpec and then resume it to start a new rollout. ● Use the status of the Deployment as an indicator that a rollout has stuck. ● Clean up older ReplicaSets that you don’t need anymore.
  • 14. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 En pratique (et Yaml) I. Reminder : Kubernetes apiVersion: extensions/v1beta1 kind: Deployment metadata: annotations: deployment.kubernetes.io/revision: "3" kubernetes.io/change-cause: "blabla..." creationTimestamp: 2018-01-27T18:17:26Z generation: 5 labels: run: logversion name: logversion spec: minReadySeconds: 15 progressDeadlineSeconds: 300 replicas: 3 selector: matchLabels: run: logversion strategy: rollingUpdate: maxSurge: 1 maxUnavailable: 1 type: RollingUpdate ... template: metadata: creationTimestamp: null labels: run: resourcesmonger spec: containers: - image: https://myregistry.org/kanedafromparis/logversion:3.1 imagePullPolicy: IfNotPresent name: logversion ports: - containerPort: 8080 protocol: TCP resources: ... livenessProb ... terminationMessagePath: /dev/termination-log terminationMessagePolicy: File ...
  • 15. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y Docker Image kubelet I. Reminder : Kubernetes
  • 16. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Dev Local Developper need to develop project on it,s local machine (unit test, debug, etc…) Dev on cluster In order to check some integration issue, Dev can develop into a dedicated namespace. This namespace can host component and resources identical to production CI on cluster Automated build/test system (Jenkins) catch commit in order to build the future docker artifact(s) that will be propagated to the QA namespaces QA on cluster Automated test are executed on a dedicated namespaces Staging on cluster (optional) A referential namespace can be used for load testing, human validation and pre- visualisation Production on cluster A production namespace host the project with the necessary security constraintes s/Development/Deployment/g pipeline I. Reminder : Development pipeline sources : Containerizing Continuous Delivery in Java by Daniel Bryant
  • 17. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 SonarQube® is an automatic code review tool to detect bugs, vulnerabilities and code smells in your code. It can integrate with your existing workflow to enable continuous code inspection across your project branches and pull requests. Continuous Inspection SonarQube provides the capability to not only show health of an application but also to highlight issues newly introduced. With a Quality Gate in place, you can fix the leak and therefore improve code quality systematically. Detect Tricky Issues Our code analyzers are equipped with powerful path sensitive dataflow engines to detect tricky issues such as null-pointers dereferences, logic errors, resource leaks.. Centralize Quality One place to provide a shared vision of code quality for developers, tech leads, managers and executives in charge of a few to a few thousands projects and also to act as a toll gate for application promotion or release QA : Exemple SonarQube I. Reminder : Development pipeline sources : https://www.sonarqube.org/
  • 18. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Some of ZAP's functionality: ● Man-in-the-middle Proxy ● Traditional and AJAX spiders ● Automated scanner ● Passive scanner ● Forced browsing ● Fuzzer ● Dynamic SSL certificates ● Smartcard and Client Digital Certificates support ● Web sockets support ● Support for a wide range of scripting languages ● Plug-n-Hack support ● Authentication and session support ● Powerful REST based API ● Automatic updating option ● Integrated and growing marketplace of add-ons QA : Example ZappProxy I. Reminder : Development pipeline sources : https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project#tab=Functionality
  • 19. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Continuous Integration the practice of frequently integrating one's new or changed code with the existing code repository – should occur frequently enough that no intervening window remains between commit and build, and such that no errors can arise without developers noticing them and correcting them immediately. Notice : Maturity level I. Reminder : Development pipeline sources : DevOps with OpenShift by Stefano Picozzi, Mike Hepburn, and Noel O’Connor https://en.wikipedia.org/wiki/Continuous_delivery, https://en.wikipedia.org/wiki/Continuous_deployment, https://en.wikipedia.org/wiki/Continuous_integration Continuous delivery (CDE) A software engineering approach in which teams produce software in short cycles, ensuring that the software can be reliably released at any time and, when releasing the software, doing so manually. Continuous deployment (CD) A software engineering approach in which software functionalities are delivered frequently through automated deployments. - 30:00
  • 20. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 DEV (NS) Digression: version tag versus purpose tag I. Reminder : Kubernetes img:1.2.1 QA (NS) STG (NS) PROD (NS) img:1.2.0 img:1.1.1 img:1.1.1 DEV (NS) img:dev QA (NS) STG (NS) PROD (NS) img:qa img:stg img:prod imagePullPolicy: Always
  • 21. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Sommaire I. Reminder A. Docker 1. intro 2. isolation 3. layers B. Kubernetes 1. generic 2. deployment C. Development pipeline (security focus) II. Application life cycle A. Scanning tools B. Too much technos III. Proposed solution A. 1,2,3 Hosting B. Pitfalls
  • 22. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 sources : https://devops.com.vn/2018/117/ Application lifecycle (example) II. Application life cycle
  • 23. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle (example) sources : https://www.lemondeinformatique.fr/actualites/lire-atlassian-fait-pousser-ses-offres-devops-68588.html II. Application life cycle
  • 24. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 CVE happens II. Application life cycle sources : https://www.cvedetails.com/
  • 25. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 CVE happens II. Application life cycle sources : https://www.cvedetails.com/
  • 26. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 CVE happens II. Application life cycle sources : https://www.cvedetails.com/
  • 27. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle (example) 3 years Lifecycle of a website application (example) Patch II. Application life cycle
  • 28. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle Feature developpement through application configuration or coding is only a phase of the Application life cycle. This phase can be a big or a small part of the application life. Several phase are also necessary within the application lifecycle : - Feature development with testing and validation This phase can happen several time during the application life. - Deployment This phase can happen several time during the application life. - Security update This phase can happen several time during the application life. - Decommission This phase should only happen once. The manpower necessary for any of theses phases vary a lot. Depending of the complexity of the application, the disponibility of the knowledgeable parties, the level of automatisation This is why an application need to have a application owner accountable over the entire application lifecycle. II. Application life cycle
  • 29. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Scan tools: downstream / upstream Security tools can give you inside knowledge of your image and potential security vulnerability Most are hook on you registry or can have local agent that will highlight most of you CVE issue. Usually they scan package (.rpm, .deb, .apk,...) but not tar.gz and mostly not application library. II. Application life cycle They can have various trigger and can set various trigger - email alert - automatic rebuild - block pull - ...
  • 30. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Docker Image Breadcump Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y Docker Image kubelet Detected by most vulnerability scanner Often out of scope II. Application life cycle - 20:00
  • 31. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : PHP PHP Component ● httpd ● nginx ● composer ● symphony ● drupal ● wordpress ● PhpUnit II. Application life cycle
  • 32. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : Java Java ● openjdk ● oraclejdk ● azul ● ant ● maven ● graddle ● spring boot ● vert-x ● war+tomat ● war+tomEE ● ear+tomEE ● ... II. Application life cycle
  • 33. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : nodejs Nodejs ● v8 ● deno ● npm ● webpack ● bower ● espress.js ● mongoose ● lodash ● Jest ● phatomejs ● chomium ● ... II. Application life cycle
  • 34. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Application lifecycle : Scala Sacla ● sbt ● … ● Play ● Sparks ● ... II. Application life cycle
  • 35. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 It can rapidly became unmanageable II. Application life cycle
  • 36. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Sommaire I. Reminder A. Docker 1. intro 2. isolation 3. layers B. Kubernetes 1. generic 2. deployment C. Development pipeline (security focus) II. Application life cycle A. Scanning tools B. Too much technos III. Proposed solution A. 1,2,3 Hosting B. Pitfalls
  • 37. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y Docker Image kubelet Usually ops scope Usually Dev scop III. Proposed solution
  • 38. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Base image : A transition image destined to process program code in order to create an application image. Application image : An image use into kubernetes that provide the custom service developed by the company. It can came from a base image or a custom dockerfile. Proposed vocabulary Still image : An image used into kubernetes cluster with only configuration adaptation. A still image is based on non-internal source code or binaries. III. Proposed solution
  • 39. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Docker Image Docker Image Docker Image Docker Image Docker Image Breadcrumb Infrastructure Operating System (Node OS) Toolings / Utils Language Toolings Application Toolings Frameworks / external libs Application code Alpine Base Image OpenJDK 8 Tomcat Wildfly App lib App 2 App 3 Apache httpd 2.4 PHP 7.1 PHP 5.6 Drupal Wordpress App 1 App 4 Operating System (Docker Image) Spring| boot https://myregistry.or g/.../App1:x.y ../App2:x.y ../App3:x.y ../App4:x.y ../App5:x.y III. Proposed solution BaseImage ApplicationImage StillImage
  • 40. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 1,2,3 hosting III. Proposed solution 1 : Project will use Dockerfile using our base image & still image proposed and maintain by the host team (ops)
  • 41. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 1,2,3 hosting 1 : Project will use Dockerfile using our base image & still image proposed and maintain by the host team (ops) 2 : Project will use its own Dockerfile but will be in charge of maintenance (specially security) III. Proposed solution
  • 42. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 1,2,3 hosting 1 : Project will use Dockerfile using our base image & still image proposed and maintain by the host team (ops) 2 : Project will use its own Dockerfile but will be in charge of maintenance (specially security) 3 : Project will use third parties image (signed image) III. Proposed solution
  • 43. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls III. Proposed solution - 10:00
  • 44. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner III. Proposed solution
  • 45. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak III. Proposed solution
  • 46. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) III. Proposed solution
  • 47. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) ● Build to Prod (no test) III. Proposed solution
  • 48. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) ● Build to Prod (no test) ● Too many version, too many variante III. Proposed solution
  • 49. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Pitfalls ● Absence of a project Owner ● Tooling focus / automation freak ● Lack of communication (specially between dev team and hosting team) ● Build to Prod (no test) ● Too many version, too many variante ● Lack of management support / acceptance in rules enforcement III. Proposed solution
  • 50. Kubernetes Application Life Cycle (patch management) 2018/12/13 #NSD18 Thank you ● Questions ? III. Proposed solution - 00:00