Mathias Tausig

Turning Container security up to 11 with Capabilities

A compromised sidecar container sniffs traffic between your services. See the attack in action and learn the one setting that stops it cold.

Turning Container security up to 11 with Capabilities
#1about 8 minutes

Demonstrating a man-in-the-middle attack between containers

A proof-of-concept shows how a malicious container can sniff unencrypted traffic between other containers running on the same host.

#2about 5 minutes

Introducing Linux capabilities for granular privilege control

Traditional Unix permissions are an all-or-nothing model, whereas Linux capabilities split root privileges into distinct units for finer control.

#3about 4 minutes

Differentiating between file and process capabilities

Capabilities can be set on files to elevate privileges for specific binaries or on processes to reduce them, with the latter being key for containers.

#4about 3 minutes

Managing default container capabilities in Docker

Docker grants a default set of powerful capabilities to containers, which can be restricted using `cap-drop` and `cap-add` flags.

#5about 4 minutes

Securing deployments by dropping unnecessary capabilities

By dropping all capabilities and only adding back the essential ones, the man-in-the-middle attack is successfully prevented in both Docker and Kubernetes.

#6about 3 minutes

Using capabilities as a defense-in-depth measure

Limiting capabilities does not prevent an initial exploit but significantly reduces the potential impact and blast radius of a compromised container.

Related jobs
Jobs that call for the skills explored in this talk.

Matching moments

Security best practices for containers and Kubernetes
56:21 MIN

Security best practices for containers and Kubernetes

Microservices: how to get started with Spring Boot and Kubernetes

Using containers to improve security and deployment
13:51 MIN

Using containers to improve security and deployment

DevSecOps: Security in DevOps

Why Dockerfile security is a critical foundation
06:06 MIN

Why Dockerfile security is a critical foundation

A practical guide to writing secure Dockerfiles

Advanced security practices for hardening Dockerfiles
12:23 MIN

Advanced security practices for hardening Dockerfiles

A practical guide to writing secure Dockerfiles

Reducing attack surface with Docker-slim
25:48 MIN

Reducing attack surface with Docker-slim

A practical guide to writing secure Dockerfiles

Gaining a reverse shell through pod misconfigurations
13:21 MIN

Gaining a reverse shell through pod misconfigurations

Hacking Kubernetes: Live Demo Marathon

Understanding the Kubernetes threat landscape and adversaries
01:46 MIN

Understanding the Kubernetes threat landscape and adversaries

Hacking Kubernetes: Live Demo Marathon

Leveraging containerization for improved security posture
38:31 MIN

Leveraging containerization for improved security posture

Kubernetes Security - Challenge and Opportunity

Featured Partners

Related Videos

See all videos
Kubernetes Security - Challenge and Opportunity42:45

Kubernetes Security - Challenge and Opportunity

Marc Nimmerrichter

Kubernetes Security Best Practices23:08

Kubernetes Security Best Practices

Rico Komenda

Hacking Kubernetes: Live Demo Marathon46:36

Hacking Kubernetes: Live Demo Marathon

Andrew Martin

Docker exec without Docker29:16

Docker exec without Docker

Oliver Seitz

Supply Chain Security and the Real World: Lessons From Incidents24:47

Supply Chain Security and the Real World: Lessons From Incidents

Adrian Mouat

Compose the Future: Building Agentic Applications, Made Simple with Docker50:09

Compose the Future: Building Agentic Applications, Made Simple with Docker

Mark Cavage, Tushar Jain, Jim Clark & Yunong Xiao

A Hitchhikers Guide to Container Security - Automotive Edition 202421:49

A Hitchhikers Guide to Container Security - Automotive Edition 2024

Reinhard Kugler

101 Typical Security Pitfalls28:41

101 Typical Security Pitfalls

Alexander Pirker

From learning to earning

Jobs that call for the skills explored in this talk.