Container security best practices: Ultimate guide

This page summarizes the projects mentioned and recommended in the original post on news.ycombinator.com
Kubernetes Virtualization Containers KVM Security

InfluxDB - Power Real-Time Data Analytics at Scale
Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
www.influxdata.com
featured
SaaSHub - Software Alternatives and Reviews
SaaSHub helps you find the best software and product alternatives
www.saashub.com
featured

  • kata-containers

    Kata Containers is an open source project and community working to build a standard implementation of lightweight Virtual Machines (VMs) that feel and perform like containers, but provide the workload isolation and security advantages of VMs. https://katacontainers.io/

    • My home k8s cluster is now "locked down" using micro-vms (kata-containers[0]), pod level firewalling (cilium[1]), permission-limited container users, and mostly immutable environments. Given how quickly I rolled this out; the tools to enhance cluster environment security seem more accessible now than my previous research a few years ago.

    I know it's not exactly a production setup, but I really do feel that it's the most secure runtime environment I've ever had accessible at home. Probably more so than my desktops, which you could argue undermines most of my effort, but I like to think I'm pretty careful.

    In the beginning I was very skeptical, but being able to just build a docker/OCI image and then manage its relationships with other services with "one pane of glass" that I can commit to git is so much simpler to me than my previous workflows. My previous setup involved messing with a bunch of tools like packer, cloud-init, terraform, ansible, libvirt, whatever firewall frontend was on the OS, and occasionally sshing in for anything not covered.

    [0] https://github.com/kata-containers/kata-containers

  • cilium

    eBPF-based Networking, Security, and Observability

  • InfluxDB

    Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

    InfluxDB logo

  • cloud-hypervisor

    A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.

    • Inside the cluster my containers are Linux only. I don't believe kata-containers supports Windows containers as I don't think rust-vmm, which is used by CloudHypervisor[0], or the kata internal execution agent support it.

    If I wanted to run Windows in the cluster I'd probably have to look at KubeVirt[1]. KubeVirt is oriented towards getting traditional VM workloads (ones you'd run in QEMU, Hyper-V, etc) functioning in a Kubernetes environment. While kata-containers is oriented towards giving container runtime (docker, containers, CRI-O) based workloads the protection of virtualization, with minimal friction.

    Previously external to the cluster I had some Windows VMs hosted on QEMU/KVM + libvirt for experimentation with Linux and Active Directory integration, but they've since been deleted. I've got one OpenBSD server for serving up update images to my routers.

    For network infra I have a number of VyOS[2] firewalls both at the edge and between VLANs, and Mikrotik devices for switching.

    [0] https://github.com/cloud-hypervisor/cloud-hypervisor

    [1] https://github.com/kubevirt/kubevirt

    [2] https://www.vyos.io

  • kubevirt

    Kubernetes Virtualization API and runtime in order to define and manage virtual machines.

    • Inside the cluster my containers are Linux only. I don't believe kata-containers supports Windows containers as I don't think rust-vmm, which is used by CloudHypervisor[0], or the kata internal execution agent support it.

    If I wanted to run Windows in the cluster I'd probably have to look at KubeVirt[1]. KubeVirt is oriented towards getting traditional VM workloads (ones you'd run in QEMU, Hyper-V, etc) functioning in a Kubernetes environment. While kata-containers is oriented towards giving container runtime (docker, containers, CRI-O) based workloads the protection of virtualization, with minimal friction.

    Previously external to the cluster I had some Windows VMs hosted on QEMU/KVM + libvirt for experimentation with Linux and Active Directory integration, but they've since been deleted. I've got one OpenBSD server for serving up update images to my routers.

    For network infra I have a number of VyOS[2] firewalls both at the edge and between VLANs, and Mikrotik devices for switching.

    [0] https://github.com/cloud-hypervisor/cloud-hypervisor

    [1] https://github.com/kubevirt/kubevirt

    [2] https://www.vyos.io

NOTE: The number of mentions on this list indicates mentions on common posts plus user suggested alternatives. Hence, a higher number means a more popular project.

Suggest a related project

Related posts

  • Method to block possible internet traffic from LLaMA on MacOS

    1 project | /r/LocalLLaMA | 1 Jun 2023

  • Introduction to the Kubernetes ecosystem

    7 projects | dev.to | 25 Apr 2024

  • Fly Kubernetes

    2 projects | news.ycombinator.com | 18 Dec 2023

  • Cisco to Acquire Cloud Native Networking and Security Leader Isovalent

    1 project | news.ycombinator.com | 21 Dec 2023

  • An opinionated template for deploying a single k3s cluster with Ansible backed by Flux, SOPS, GitHub Actions, Renovate, Cilium, Cloudflare and more!

    6 projects | /r/kubernetes | 4 Dec 2023