Most companies have experimented with containerization in one form or another and there is a wealth of information at these higher abstraction levels for securing constructs like Dockerfiles, Container Images, and Container Orchestration tools like Kubernetes. What can be overlooked at times is that Linux kernel features like namespaces, seccomp, capabilities and cgroups provide the resource isolation functionality that underpin these tools.
Last Friday we presented a workshop at BSidesSLC 2021. During a 2 hour session we walked through several foundational isolation mechanisms, why they exist and how they are used to isolate Linux system resources and application processes. We had a great time interacting with the class, answering questions and doing our best to share our understanding of the topics at an ‘intermediate’ level as in my opinion there is a great dearth of accessible ‘intermediate-level' content available generally.
For those interested to see the presentation (+presenter's notes!), source code and workshop labs head on over to the github repo: container-security-from-the-bottom-up