Upload
docker-inc
View
251
Download
0
Embed Size (px)
Citation preview
Diogo Mónica Security Lead, Docker
Riyaz Faizullabhoy Security Engineer, Docker
Secure Substrate: Least Privilege Container Deployment
Content Addressable Image Pulls
containerD
alpine@sha256:29d234… 29d234…
Manifest
16df34… 6ec6e1…3e94f1… 200dc0… 50d932…
Layer 1 Layer 3Layer 2 Layer 4 Layer N
…
Secure Node Introduction
swarmKit
SWMTKN-1-mx8suomaom825bet6-cm6zts22rl4hly2
Known Prefix
Token Version
Hash of Root CA
Random Secret
MTLS Between All Nodes
swarmKit
Worker
ManagerTLS
TLS
CertificateAuthority
Worker
ManagerTLS
TLS
CertificateAuthority
Worker
ManagerTLS
TLS
CertificateAuthority
Secure Secret Distribution
swarmKit
Worker
ManagerRaft Store
Worker
ManagerRaft Store
Worker
ManagerRaft Store
Transparent Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Add
Remove
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Renew
1 2
34
Transparent Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Add
Remove
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Renew
1 2
34
Transparent Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Add
Remove
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Renew
1 2
34
Transparent Root Rotation
swarmKit
Worker Worker
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Worker
Manager
CertificateAuthority
Worker Worker
TLS
TLS TLS TLS
Add
Remove
Worker
Manager
TLS
CertificateAuthority
Worker
TLS
Worker
TLS
Worker
TLS
TLS
Renew
1 2
34
Secure Node Cluster Introduction
1. Retrieve and validate Root CA Public key material.
2. Submit new CSR along with secret token.
3. Retrieve the signed certificate.