Containers are used for a range of deployment scenarios, from low-cost VM substitutes to easier application deployment and all the way up to resource-efficient large-scale clusters. But this flexibility comes at a cost - containers share an underlying kernel, leaving a larger attack surface.
Various technical approaches exist to mitigate this limitation, including seccomp (reducing the number of system calls available), svirt (using SELinux to isolate containers) and Intel's clear containers (using very light weight VMs as a substitute for traditional containers). But which should be used, and when? And are these the full story?
This presentation will discuss the risks associated with containers, how seriously they need to be taken and which approaches are most worthwhile in avoiding them.
