Date: Fri, 23 Sep 2022 09:30:00 -0400
<p>Bret goes through his top recommendations for securing container images, Docker containers and Kubernetes pods.</p><p>This is a tip-packed show where Bret lists much of what's documented in his courses, starting with the first steps you should take, and the bare security necessities that everyone should be doing. Then he covers more advanced security activities you should consider once the basics are covered.</p><p>Streamed live on YouTube on July 7, 2022.</p><p><br /><strong>Unedited </strong><a href="https://www.youtube.com/watch?v=3hvwuu-eTh0"><strong>live recording</strong></a><strong> of this show on YouTube (Ep #177).</strong></p><p><br />★Topics★<br /><a href="https://github.com/BretFisher/ama/discussions/150">Bret's Container Security AMA</a><br /><a href="https://docs.docker.com/engine/security/">Docker Security Docs</a><br /><a href="https://atomist.com/product/container-vulnerability-scanning">Docker Buys Atomist</a><br /><a href="https://www.slim.ai/">Slim.ai website</a>: Auto-slimming images<br /><a href="https://dockersl.im/">Docker Slim tool</a><br /><a href="https://github.com/kubescape/kubescape">Kubescape website</a><br /><a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/">Kubernetes Security Context</a><br /><a href="https://kubernetes.io/blog/2021/08/25/seccomp-default">Seccomp by default</a><br /><a href="https://github.com/BretFisher/super-linter-workflow">Lint all files with super-linter</a><br /><a href="https://www.datree.io/">Datree K8s file scan</a><br /><a href="https://github.com/aquasecurity/kube-bench">Kubernetes Benchmark</a><br /><a href="https://github.com/BretFisher/allhands22">My GitHub Actions examples</a>: Automate your builds, CVE scans, and more<br />Video on <a href="https://github.com/BretFisher/nodejs-rocks-in-docker">building a more secure base image</a><br /><a href="https://snyk.io/">Snyk security tools</a> website<br /><a href="https://github.com/aquasecurity/trivy">Trivy CVE and K8s scans</a><br /><a href="https://sysdig.com/opensource/falco/">Falco</a> for watching servers for bad behavior</p><p><strong>★Join my Community★</strong><br />Best coupons for my <a href="https://www.bretfisher.com/courses"><strong>Docker and Kubernetes courses</strong></a></p><p>Chat with us on our Discord Server <a href="https://discord.com/invite/rnNf8jhKcx"><strong>Vital DevOps</strong></a></p><p>Homepage <a href="https://bretfisher.com/"><strong>bretfisher.com</strong></a></p> <ul> <li>(00:00) - Intro</li> <li>(00:52) - Mid-Roll Intro</li> <li>(00:53) - Bret's Intro</li> <li>(01:46) - Main show</li> <li>(02:45) - What should I worry about first? The Basics!</li> <li>(03:47) - Start with images</li> <li>(04:28) - Bret.show/SecurityFirst</li> <li>(05:04) - CVE scanning</li> <li>(05:36) - Dependency scanning</li> <li>(06:28) - Bret's Github with Dependabot</li> <li>(07:25) - OS dependencies with Trivy and Snyk</li> <li>(09:23) - Bret's Talks</li> <li>(10:17) - Alpine is not always good</li> <li>(11:27) - All hands on automation</li> <li>(12:14) - Don't run as root inside the image</li> <li>(14:04) - Question</li> <li>(15:20) - Making slimmer images</li> <li>(15:52) - Atomist</li> <li>(17:19) - DockerSlim</li> <li>(20:48) - Question</li> <li>(22:21) - Question</li> <li>(24:09) - Question</li> <li>(24:36) - Question</li> <li>(24:45) - Question</li> <li>(25:15) - Securing Docker</li> <li>(25:47) - Docker host scanner</li> <li>(26:28) - Falco</li> <li>(26:55) - Just use Docker</li> <li>(28:28) - Question about Windows Containers</li> <li>(30:19) - Maintain your servers</li> <li>(31:12) - Docker in the cloud</li> <li>(32:29) - Always stay on the latest Kubernetes release</li> <li>(33:33) - Kube-bench</li> <li>(34:22) - Tree.io</li> <li>(35:04) - Pod specs</li> <li>(36:08) - Sec comp</li> <li>(37:33) - Security context</li> <li>(38:57) - Privilege escalation</li> <li>(39:50) - Superlinter</li> <li>(40:54) - Question about Fargate</li> <li>(42:35) - Network policies</li> <li>(44:38) - Kubernetes docs article on security context</li> <li>(45:16) - Question</li> <li>(47:43) - Third-party security monitoring</li> <li>(47:57) - Question about volumes</li> <li>(48:45) - Question about Docker subnets</li> <li>(49:30) - Question about secrets</li> <li>(50:17) - Question about subnets 2</li> <li>(50:48) - Question</li> <li>(53:03) - Outro</li> </ul> <br /><p><strong>Support this show and get exclusive benefits on </strong><a href="https://patreon.com/BretFisher"><strong>Patreon</strong></a><strong>, </strong><a href="https://www.youtube.com/@BretFisher"><strong>YouTube</strong></a><strong>, or </strong><a href="https://www.bretfisher.com/"><strong>bretfisher.com</strong></a><strong>!</strong></p>