KubeCon + CloudNativeCon Europe 2019: Rootless, Reproducible, and Hermetic: Se...

Barcelona, Spain
May 20–23, 2019
Click here for more information and registration

View Conference Venue and Sponsor Showcase Map

Rootless, Reproducible, and Hermetic: Secure Container Build Showdown - Andrew Martin, Control Plane

Feedback form is now closed.

Rootless container image builds (as distinct from rootless runtimes) have crept ever closer with orca-build, BuildKit, and img proving the concept. And they are desperately needed: a build pipeline with an exposed Docker socket can be used by an attacker to escalate privilege - and is probably a backdoor into most Kubernetes-based CI build farms.

With a slew of new rootless tooling emerging including Red Hat’s buildah, Google’s Kaniko, and Uber’s Makisu, will we see build systems that can securely build untrusted Dockerfiles? How are traditional build and packaging requirements like reproducibility or hermetic isolation being approached? In this talk we:
- Compare the strengths and weaknesses of modern container image build tools
- Explore the safety of untrusted image builds
- Live demo attacking container build pipelines
- Chart the history and future of container image build tooling

Speakers

Andrew Martin

co-founder, Control Plane

Andrew has a strong test-first engineering ethos gained architecting and deploying high-traffic web applications. Proficient in systems development, testing, and maintenance, he is comfortable profiling and securing every tier of a bare metal or cloud native application, and has battle-hardened... Read More →

ControlPlane Rootless, Reproducible & Hermetic Secure Container Build Showdown (KubeCon Barcelon, May 2019) pdf

Tuesday May 21, 2019 11:05 - 11:40
Hall 8.1 G1

CI/CD

Skill Level Intermediate (Mid-level experience)
Link to Session Recording https://youtu.be/X_Sb96EKFPA

KubeCon + CloudNativeCon Europe 2019

Sign up or log in to save this to your schedule and see who's attending!

Andrew Martin