Implementing Strict Confinement for Isolated Containers
In the previous chapter, we looked at how to build secure containers using Kata Containers and how to improve workload isolation with hardware virtualization technology. We also discussed the best practices for securing your production-grade cluster with containers. The MicroK8s add-on option has also made it easier to activate Kata Containers, which can significantly increase the security and isolation of your container operations.
In this chapter, we will take a look at another approach to isolation using snap confinement options to run containers in complete isolation, meaning no access to files, networks, processes, or any other system resource without requesting specific access via an interface. Confinement models describe how much access a particular snap has to a user’s machine. There are currently three choices available, as follows:
- The strict confinement level operates in complete isolation, with access...