Chap 10 - 01 - Understand Virt Essential Concepts and OS Virt Security - 06_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

Kubernetes Vs. Docker
Kubernetes Deployment

= Docker is open source software that can be installed on any host to build,
deploy, and run containerized applications on a single operating system

= When Docker is installed on multiple hosts with different operating SRR
systems, you can use Kubernetes to manage these Docker hosts 999 999 7]
* Docker * Docker

= Kubernetes is a container orchestration platform that automates the
process of creating, managing, updating, scaling, and destroying containers ’ 99 ‘
* Docker ‘

= Kubernetes can be coupled with any containerization technology such i
as Docker, Rkt, RunC, and cri-o AL L LA LL
&Docker " Docker

A A ; Kubernetes and Docker run
= Both Dockers and Kubernetes are based on microservices architecture, and together to build and run
built using the Go programming language to deploy small, lightweight containerized applications
binaries, and YAML files for specifying application configurations and stacks

Copyright © by uncil All Rights Reserved. Reproductionis Strictly Prohibited.

Kubernetes Vs. Docker

As discussed above, Docker is an open-source software that can be installed on any host to
build, deploy, and run containerized applications on a single operating system. Containerization
isolates running applications from other services and applications running on the host OS.
Kubernetes is a container orchestration platform that automates the process of creating,
managing, updating, scaling, and destroying containers. Both Dockers and Kubernetes are
based on microservices architecture, they are built using the Go programming language to
deploy small lightweight binaries, and use the YAML file for specifying application
configurations and stacks. When Kubernetes and Docker are coupled together, they provide
efficient management and deployment of containers in a distributed architecture. When
Docker is installed on multiple hosts with different operating systems, you can use Kubernetes
to manage these Docker hosts through container provisioning, load balancing, failover and
scaling, and security.

Module 10 Page 1269 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

-
-
A

0500
-
-

P09 0999
*

LL ¥ 1.

&Docker *
* Docker
Docker

Kubernetes and Docker run
together to build and run
containerized applications
Figure 10.13: Kubernetes deployment

Module 10 Page 1270 Certified Cybersecurity Technician Copyright © by EC-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

Container Security Challenges

© 66 6 6O 06
Inflow of vulnerable Large attack Lack of visibility Compromising DevOps speed
source code surface secrets

© o6 6 O
Noisy neighboring Container breakout = Network-based Bypassing Ecosystem
containers to the host attacks isolation complexity

Container Security Challenges
While containerization provides fast and continuous delivery of applications to developers and
DevOps teams, there are certain security challenges associated with it. The primary security
challenges for containers are as follows:
Inflow of Vulnerable Source Code: Since containers are open source, the images that
are created by the developers are frequently updated, stored, and used as needed. This
causes an inflow of source code that may potentially harbor vulnerabilities and
unexpected behaviors, into an organization.
Large Attack Surface: In cloud or on-premises, there are many containers than run on
multiple machines. This provides a large attack surface, and therefore causes challenges
in the tracking and detection of anomalies.
Lack of Visibility: The abstraction layer created by the container engine masks the
activity of a particular container.

DevOps Speed: On average, the lifespan of a container is four times less than virtual
machines. Containers can be created instantly, run for a short duration of time, stopped,
and removed. Due to this ephemerality, an attacker can execute an attack and
disappear quickly.
Noisy Neighboring Containers: The behavior of one container can potentially cause a
DOS for another container. For example, opening sockets frequently can freeze up the
host machine.

Container Breakout to the Host: Containers that run as the root user can breakout and
access the host’s operating system.

Module 10 Page 1271 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.
Certified Cybersecurity Technician Exam 212-82
Virtualization and Cloud Computing

= Network-based Attacks: A jeopardized container is vulnerable to network-based
attacks, especially in outbound networks with unrestricted raw sockets.

» Bypassing isolation/Lack of isolation: Any inadequacy in the isolation between
containers can be a security challenge since an attacker who compromises one
container can then easily access another container in the same host.

= Ecosystem complexity: The tools utilized to build, deploy, and manage containers are
provided by different sources. Therefore, a user should keep the components secure
and up-to-date.

Module 10 Page 1272 Certified Cybersecurity Technician Copyright © by EG-Council
All Rights Reserved. Reproduction is Strictly Prohibited.