Build Systems that Drive Business
June 11–12, 2018: Training
June 12–14, 2018: Tutorials & Conference
San Jose, CA

How to reduce the attack surface of your container workloads

Cynthia Thomas (Cilium)
4:35pm–5:15pm Thursday, June 14, 2018
Containers
Location: LL21 E/F Level: Intermediate
Secondary topics: Resilient, Performant & Secure Distributed Systems
Average rating: ***..
(3.33, 3 ratings)

Prerequisite knowledge

  • A basic understanding of networking and security
  • Familiarity with container orchestration platforms like Kubernetes (useful but not required)

What you'll learn

  • Explore traditional firewall methods and the evolution of the distributed security model to enforce least privilege for microservices

Description

Modern microservices architectures divvy up application functions into individual services and expose them via APIs using protocols such as HTTP/REST, gRPC, or Kafka. The rise of container-based orchestration platforms, such as Kubernetes, is creating demand for routing, load balancing, and security infrastructure that is highly scalable, application aware, and resilient. At the same time, BPF (the Berkeley Packet Filter) is becoming the fastest growing technology in the Linux kernel and is revolutionizing networking, security and tracing.

What was done for security before microservices is no longer sufficient. The firewall is dead, and there’s a new norm for the modern world: security needs to be distributed and least privilege for pod-to-pod traffic in the container world.

While navigating from an architectural design to the lab and eventually production, it is important to understand the pain points and gaps of traditional firewall methods when exposing services via APIs in microservices architectures. Cynthia Thomas outlines traditional firewall methods and details the evolution of the distributed security model to enforce least privilege for microservices.

Photo of Cynthia Thomas

Cynthia Thomas

Cilium

Cynthia Thomas is a technology evangelist at Isovalent. Her background includes 10 years spent working with open source cloud and networking solutions in data center, telecommunications, and campus deployments. Cynthia is an advocate of open source technologies. Since 2015, she has been working on Docker and Kubernetes with CNI plugins, currently through the open source project Cilium. She is a frequent speaker at conferences, including ContainerCon, DevOpsDays, DockerCon, Kubernetes meetups, and OpenStack Summits and meetups.