Talk: Security for Container Workloads: Key Takeaways from ContainerDays 2019

I gave a talk at ContainerDays 2019 about securing container workloads. You can watch the full thing here.

The basic problem: containers share a kernel. If something goes wrong in one container, the host kernel is right there. This matters especially if you’re a PaaS or serverless provider running other people’s code.

The talk walks through known vulnerabilities and past container escapes, then looks at four technologies that take different approaches to the isolation problem:

• gVisor intercepts syscalls before they reach the host kernel, adding a layer between the container and the OS.
• Kata Containers runs each container inside a lightweight VM, so you get VM-level isolation with a container-like workflow.
• Nabla Containers restricts the syscall surface available to the container, reducing what an attacker can reach.
• Firecracker is AWS’s microVM approach, built for multi-tenant serverless workloads.

Each has different trade-offs around performance, compatibility, and how much of the kernel you’re willing to trust. The talk compares them side by side.

If this is your area, watch the recording. Find me on my website or on Twitter @chrisbargmann if you want to talk about it.