Mathias Tausig

Turning Container security up to 11 with Capabilities

A compromised sidecar container sniffs traffic between your services. See the attack in action and learn the one setting that stops it cold.

Turning Container security up to 11 with Capabilities
#1about 8 minutes

Demonstrating a man-in-the-middle attack between containers

A proof-of-concept shows how a malicious container can sniff unencrypted traffic between other containers running on the same host.

#2about 5 minutes

Introducing Linux capabilities for granular privilege control

Traditional Unix permissions are an all-or-nothing model, whereas Linux capabilities split root privileges into distinct units for finer control.

#3about 4 minutes

Differentiating between file and process capabilities

Capabilities can be set on files to elevate privileges for specific binaries or on processes to reduce them, with the latter being key for containers.

#4about 3 minutes

Managing default container capabilities in Docker

Docker grants a default set of powerful capabilities to containers, which can be restricted using `cap-drop` and `cap-add` flags.

#5about 4 minutes

Securing deployments by dropping unnecessary capabilities

By dropping all capabilities and only adding back the essential ones, the man-in-the-middle attack is successfully prevented in both Docker and Kubernetes.

#6about 3 minutes

Using capabilities as a defense-in-depth measure

Limiting capabilities does not prevent an initial exploit but significantly reduces the potential impact and blast radius of a compromised container.

Related jobs
Jobs that call for the skills explored in this talk.

Featured Partners

Related Videos

See all videos
Kubernetes Security - Challenge and Opportunity42:45

Kubernetes Security - Challenge and Opportunity

Marc Nimmerrichter

Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

A practical guide to writing secure Dockerfiles42:25

A practical guide to writing secure Dockerfiles

Madhu Akula

Enhancing Workload Security in Kubernetes44:00

Enhancing Workload Security in Kubernetes

Dimitrij Klesev & Andreas Zeissner

A solution to embed container technologies into automotive environments30:33

A solution to embed container technologies into automotive environments

Falk Langer & Lukas Stahlbock

Local Development Techniques with Kubernetes40:00

Local Development Techniques with Kubernetes

Rob Richardson

Open Source Secure Software Supply Chain in action32:55

Open Source Secure Software Supply Chain in action

Natale Vinto

Reusing apps between teams and environments through Containers43:39

Reusing apps between teams and environments through Containers

Adrian Kosmaczewski

From learning to earning

Jobs that call for the skills explored in this talk.

DevOps Engineer

Capitole
Municipality of Marbella, Spain

DNS
Azure
DevOps
Python
Terraform
+5

DevOps Engineer

Capitole
Municipality of Valladolid, Spain

DNS
Azure
DevOps
Python
Terraform
+5

DevOps Engineer

Capitole
Municipality of Vigo, Spain

DNS
Azure
DevOps
Python
Terraform
+5