issue153:mon_opinion1
Différences
Ci-dessous, les différences entre deux révisions de la page.
Les deux révisions précédentesRévision précédente | Prochaine révisionLes deux révisions suivantes | ||
issue153:mon_opinion1 [2020/02/04 12:05] – auntiee | issue153:mon_opinion1 [2020/02/04 13:45] – auntiee | ||
---|---|---|---|
Ligne 81: | Ligne 81: | ||
Au fil des ans, le noyau Linux a introduit de nombreuses techniques astucieuses d' | Au fil des ans, le noyau Linux a introduit de nombreuses techniques astucieuses d' | ||
- | Toutefois, vous devriez connaître les Kernel Namespaces, qui signifient que, si tout se passe bien d'une perspective sécuritaire, | + | Toutefois, vous devriez connaître les Kernel Namespaces, qui signifient que, si tout se passe bien d'une perspective sécuritaire, |
+ | Vous voudriez sans doute lire aussi quelque chose sur les capacités du noyau, car il peut créer toutes sortes de restrictions d' | ||
+ | Bien que nous n' | ||
- | Orchestration | + | |
+ | **Orchestration | ||
When you’re running more than a few containers at once, it can be a little like herding cats trying to get them all to behave properly. | When you’re running more than a few containers at once, it can be a little like herding cats trying to get them all to behave properly. | ||
Ligne 97: | Ligne 100: | ||
Finally for sensitive container scenarios, you can introduce Security Context Constraints (https:// | Finally for sensitive container scenarios, you can introduce Security Context Constraints (https:// | ||
- | You’re encouraged to read further in order to get cluster security working well, amongst a number of other areas. | + | You’re encouraged to read further in order to get cluster security working well, amongst a number of other areas.** |
- | Stronger Isolation | + | Orchestration |
+ | |||
+ | Quand vous faites tourner plus que quelques conteneurs à la fois, cela pourrait être comme essayer de rassembler des chats et de les faire bien se comporter. | ||
+ | |||
+ | Pour de grandes charges de travail, beaucoup de gens font appelle à Kubernetes (https:// | ||
+ | |||
+ | Bref, vous devriez utiliser une approche plus sophistiquée à l' | ||
+ | |||
+ | Vous devriez également affiner les politiques Pod Security Polisies, quisont valable sur tout l' | ||
+ | |||
+ | Enfin, pour des scénarios des conteneurs sensibles, vous pouvez introduire Security Context Constraints (https:// | ||
+ | |||
+ | N' | ||
+ | |||
+ | **Stronger Isolation | ||
Despite a very high level of isolation being possible through a previous Virtual Machine incarnation of “rkt” (https:// | Despite a very high level of isolation being possible through a previous Virtual Machine incarnation of “rkt” (https:// | ||
- | Virtual Machines adopt a hardware level of isolation making attacks much, much harder than just circumventing a host machine’s kernel. By cleverly enforcing that level of isolation, but enjoying the quick start-up times, portability, | + | Virtual Machines adopt a hardware level of isolation making attacks much, much harder than just circumventing a host machine’s kernel. By cleverly enforcing that level of isolation, but enjoying the quick start-up times, portability, |
- | The End Is Nigh | + | Une isolation plus forte |
+ | |||
+ | Bien qu'un très haut niveau d' | ||
+ | |||
+ | Les machines viruelles acopte une isolation au niveau du matériel ce qui rend les attaques bien plus difficiles que le contournement tout simple du noyau de la machine hôte. En imposant astucieusement ce niveau-là d' | ||
+ | |||
+ | **The End Is Nigh | ||
We’ve barely scratched the surface in terms of getting into the detail about securing applications in your containers. | We’ve barely scratched the surface in terms of getting into the detail about securing applications in your containers. | ||
- | Hopefully, however, the key areas which we’ve looked at briefly will give you some food for thought about what to read up on further the next time you need to make a decision about how to approach solving a container security problem. | + | Hopefully, however, the key areas which we’ve looked at briefly will give you some food for thought about what to read up on further the next time you need to make a decision about how to approach solving a container security problem.** |
+ | |||
+ | La fin approche | ||
+ | |||
+ | On n'a à peine effleurer la surface en termes d' | ||
+ | |||
+ | Cependant, j' | ||
issue153/mon_opinion1.txt · Dernière modification : 2020/02/04 19:24 de d52fr