Container Security Fundamental Technology Concepts That Protect Cloud Native Applications (Liz Rice) (z-library.sk, 1lib.sk, z-lib.sk)

Liz Rice Container Security Fundamental Technology Concepts That Protect Cloud Native Applications 2nd Edition

9 7 9 8 3 4 1 6 2 7 7 0 3 5 5 5 9 9 ISBN: 979-8-341-62770-3 US $55.99 CAN $69.99 CONTAINER S As containerized and cloud native applications become foundational to modern software infrastructure, the need for a deep, conceptual understanding of their security implications has never been more urgent. Container Security, second edition, offers a rigorous yet practical examination of the technologies that underpin container platforms—equipping developers, operations professionals, and security practitioners with the mental models needed to evaluate risk and enhance resilience. Written by Liz Rice, a recognized authority in cloud native security, this updated edition builds on the foundational principles from the first edition while incorporating today’s evolving threat landscape, modern tooling, and advancements in platforms like Kubernetes and Linux. Readers will gain a firm grasp of the architectural components behind containers and the Linux primitives that support them, fostering a systems-level understanding of both threats and mitigation strategies. • Examine the technical underpinnings of containers through a security-focused lens • Evaluate evolving risks and defenses across container runtimes and orchestration platforms • Analyze the implications of modern tooling including eBPF and AI-driven approaches • Apply core principles to assess and secure real-world deployments in dynamic environments Liz Rice is chief open source officer at Isovalent, the creator of Cilium, and now part of Cisco. She is a former CNCF governing board member, CNCF technical oversight committee chair, and KubeCon cochair. Rice is also the author of O’Reilly’s Learning eBPF and the first edition of Container Security. Container Security “The def initive guide to Linux kernel, container, and VM isolation in Liz’s inimitable style. If you enjoy her ‘from scratch’ talks and demos, this book will take you deeper into the mystical world of container security with illuminating tips, tools, and techniques to keep your applications and data safe.” Andrew Martin, CEO, ControlPlane “Liz’s concrete and hands-on approach to container security makes this book an invaluable resource for technology professionals. With expanded coverage on Linux system and container fundamentals, this new edition is a must-have for secure container operation.” Phil Estes, principal engineer, containers and open source strategy, AWS

Liz Rice Container Security Fundamental Technology Concepts That Protect Cloud Native Applications SECOND EDITION

979-8-341-62770-3 [LSI] Container Security by Liz Rice Copyright © 2026 Vertical Shift Ltd. All rights reserved. Printed in the United States of America. Published by O’Reilly Media, Inc., 141 Stony Circle, Suite 195, Santa Rosa, CA 95401. O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions are also available for most titles (http://oreilly.com). For more information, contact our corporate/institutional sales department: 800-998-9938 or corporate@oreilly.com. Acquisitions Editor: Megan Laddusaw Development Editor: Rita Fernando Production Editor: Elizabeth Faerm Copyeditor: Adam Lawrence Proofreader: Kim Wimpsett Indexer: WordCo Indexing Services, Inc. Cover Designer: Susan Brown Cover Illustrator: Karen Montgomery Interior Designer: David Futato Interior Illustrator: Kate Dullea April 2020: First Edition October 2025: Second Edition Revision History for the Second Edition 2025-10-07: First Release See http://oreilly.com/catalog/errata.csp?isbn=0642572174828 for release details. The O’Reilly logo is a registered trademark of O’Reilly Media, Inc. Container Security, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc. The views expressed in this work are those of the author and do not represent the publisher’s views. While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work. Use of the information and instructions contained in this work is at your own risk. If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights.

Table of Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi 1. Container Security Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Risks, Threats, and Mitigations 2 Container Threat Model 3 Security Boundaries 7 Multitenancy 8 Shared Machines 9 Virtualization 9 Container Multitenancy 10 Container Instances 11 Security Principles 11 Least Privilege 11 Defense in Depth 12 Reducing the Attack Surface 12 Limiting the Blast Radius 12 Segregation of Duties 12 Applying Security Principles with Containers 12 Summary 13 2. Linux System Calls, Permissions, and Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 System Calls 15 File Permissions 17 setuid and setgid 18 Security Implications of setuid 21 Linux Capabilities 21 Privilege Escalation 23 Summary 24 iii

3. Control Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Control Group Controllers 26 Creating and Configuring Cgroups 27 Assigning a Process to a Cgroup 28 Cgroups for Containers 28 Preventing a Fork Bomb 30 Summary 31 4. Container Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Linux Namespaces 34 Isolating the Hostname 35 Isolating Process IDs 37 Changing the Root Directory 40 Combine Namespacing and Changing the Root 42 Mount Namespace 43 Network Namespace 45 User Namespace 47 Inter-Process Communications Namespace 51 Cgroup Namespace 52 Time Namespace 53 Kubernetes Pods and Container Namespaces 54 Container Processes from the Host Perspective 54 Container Host Machines 56 Summary 57 5. Virtual Machines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Booting Up a Machine 59 Enter the VMM 61 Type 1 VMMs, or Hypervisors 61 Type 2 VMM 62 Kernel-Based Virtual Machines 63 Trap-and-Emulate 64 Handling Non-Virtualizable Instructions 64 Nested Virtualization 65 KubeVirt 65 Process Isolation and Security 65 Disadvantages of Virtual Machines 67 Container Isolation Compared to VM Isolation 67 Summary 68 iv | Table of Contents

6. Container Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69 Root Filesystem and Image Configuration 69 Overriding Config at Runtime 70 OCI Standards 71 Image Configuration 72 Building Images 74 The Dangers of Docker Build 74 Image Layers 76 Multiplatform Images 79 Storing Images 80 Running Your Own Registry 80 Pushing and Pulling 81 Identifying Images 81 Summary 83 7. Supply Chain Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Container Image Software Components 86 SLSA 87 Software Bill of Materials 87 Dependency Confusion 88 Package Hallucination 88 Language-Specific SBOMs 88 Minimal Base Images 89 Dockerfile Security 90 Provenance of the Dockerfile 90 Dockerfile Best Practices for Security 91 Attacks on the Build Machine 94 Generating an SBOM 95 Signing Images and Software Artifacts 96 Build Attestations 97 Image Manifests 98 Image Deployment Security 101 Deploying the Right Image 102 Malicious Deployment Definition 102 Verifying the Image Signature and Provenance 102 Admission Control 103 Summary 104 8. Software Vulnerabilities in Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105 Vulnerability Research 105 Vulnerabilities, Patches, and Distributions 107 Table of Contents | v

Application-Level Vulnerabilities 107 Vulnerability Risk Management 108 Vulnerability Scanning 109 Installed Packages 110 Container Image Scanning 110 Immutable Containers 111 Regular Scanning 112 Scanning Tools 112 Sources of Information 113 Out-of-Date Sources 113 Won’t Fix Vulnerabilities 114 VEX Input 114 Subpackage Vulnerabilities 114 Package Name Differences 114 Statically Linked Executables 114 Scanning Multiplatform Images 115 Additional Scanning Features 115 Scanner Errors 116 Scanning in the CI/CD Pipeline 116 Prevent Vulnerable Images from Running 118 Updating Images 119 Zero-Day Vulnerabilities 120 Summary 121 9. Infrastructure as Code and GitOps. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 IaC 123 GitOps 124 Implications for Deployment Security 126 GitOps Security Best Practices 128 Summary 129 10. Strengthening Container Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131 Seccomp 132 AppArmor 134 SELinux 135 gVisor 136 Kata Containers 139 Lightweight/Micro Virtual Machines 139 Unikernels 141 Summary 141 vi | Table of Contents

11. Breaking Container Isolation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143 Containers Run as Root by Default 143 Override the User ID 144 No New Privileges 145 Root Requirement Inside Containers 147 Root for Installing Software 149 Privileges for eBPF and Kernel Modules 150 Rootless Containers 151 The --privileged Flag and Capabilities 153 Mounting Sensitive Directories 156 Mounting the Docker Socket 157 Sharing Namespaces Between a Container and Its Host 157 Sidecar Containers 158 Deploying Sidecars 160 Sidecar Limitations 160 Debug Containers 161 Summary 161 12. Container Network Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163 Container Firewalls and Microsegmentation 163 OSI Networking Model 165 Sending an IP Packet 167 IP Addresses for Containers 168 Network Isolation 169 Layer 3/4 Routing and Rules 170 iptables 170 eBPF 173 Network Policies 174 Layer 3/4 Policy with iptables 175 Layer 3/4 Policies with eBPF 176 Layer 7 Policies 177 Network Policy Solutions 178 Service Mesh 179 Network Policy Best Practices 180 Summary 181 13. Securely Connecting Components. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Secure Connections 183 X.509 Certificates 185 Public/Private Key Pairs 185 Certificate Authorities 187 Table of Contents | vii

Certificate Signing Requests 188 TLS Connections 189 WireGuard and IPSec 190 Zero-Trust Networking 192 Secure Connections Between Containers 193 Certificate Revocation 193 Service Meshes for Encrypted Traffic 194 SPIFFE 195 External Traffic 196 Ingress Traffic 196 Egress Traffic 197 Network Observability and Logging 197 Summary 198 14. Passing Secrets to Containers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199 Secret Properties 199 Getting Information into a Container 200 Storing the Secret in the Container Image 201 Passing the Secret Over the Network 202 Passing Secrets in Environment Variables 202 Passing Secrets Through Files 203 Kubernetes Secrets 204 Secrets Store CSI Driver 205 External Secrets Operator 205 Rotating Secrets in Kubernetes 205 Secrets Are Accessible by Root 207 Summary 208 15. Container Runtime Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209 Container Image Runtime Policies 210 Network Traffic 210 Executables 211 File Access 212 User and Group IDs 212 AI for Generating Runtime Policies 213 Technology Options for Runtime Security 213 LD_PRELOAD 213 Ptrace 214 Seccomp, AppArmor, and SELinux 215 Kernel-Based Runtime Security 215 eBPF for Runtime Security 216 viii | Table of Contents

Container Runtime Security Tools 219 Falco 219 Cilium Tetragon 220 Tracee 223 Inspektor Gadget 223 Prevention or Alerting 223 Quarantining a Container 225 Vulnerability Mitigation 225 Summary 227 16. Containers and the OWASP Top 10. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229 Broken Access Control 229 Cryptographic Failures 230 Injection 230 Insecure Design 230 Security Misconfiguration 231 Vulnerable and Outdated Components 232 Identification and Authentication Failure 232 Software and Data Integrity Failures 232 Security Logging and Monitoring Failures 233 Server-Side Request Forgery 233 Summary 234 Conclusions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 Appendix. Security Checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237 Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241 Table of Contents | ix

Preface Many organizations are running applications in cloud native environments, using containers and orchestration to facilitate scalability and resilience. If you’re a member of the Operations, Security, DevOps, or even DevSecOps teams setting up these envi‐ ronments for your company, how do you know whether your deployments are secure? If you’re a security professional with experience in traditional server-based or virtual machine–based systems, how can you adapt your existing knowledge for container-based deployments? And as a developer in the cloud native world, what do you need to think about to improve the security of your containerized applications? This book delves into some of the key underlying technologies that containers and cloud native computing rely on, to leave you better equipped to assess the security risks and potential solutions applicable to your environment and to help you avoid falling into bad practices that will leave your technology deployments exposed. In this book you will learn about many of the building block technologies and mecha‐ nisms that are commonly used in container-based systems and how they are con‐ structed in the Linux operating system. Together we will dive deep into the underpinnings of how containers work and how they communicate so that you are well versed not just in the “what” of container security but also, and more impor‐ tantly, in the “why.” My goal in writing this book is to help you better understand what’s happening when you deploy containers. I want to encourage you to build men‐ tal models that allow you to make your own assessment of potential security risks that could affect your deployments. This book primarily considers the kind of “application containers” that many busi‐ nesses are using these days to run their business applications in systems such as Kubernetes and Docker. This is in contrast to “system containers” such as LXC and LXD from the Linux Containers Project. In an application container, you are encour‐ aged to run immutable containers with as little code as is necessary to run the appli‐ cation, whereas in a system container environment, the idea is to run an entire Linux distribution and treat it more like a virtual machine. It’s considered perfectly normal to use SSH (Secure Shell) to access a system container, but security experts will look xi

at you askance if you want to SSH into an application container in production (for reasons covered later in this book). However, the basic mechanisms used to create application and system containers alike are control groups, namespaces, and chang‐ ing the root directory, so this book will give you a solid foundation from which you may wish to explore the differences in approach taken by the different container projects. Be warned that there are a few “container” implementations, like the new Apple Containerization project, that isolate workloads using different technologies. You’ll understand the differences by the end of this book! Who This Book Is For Whether you consider yourself a developer, a security professional, an operator, or a manager, this book will suit you best if you like to get into the nitty-gritty of how things work and if you enjoy time spent in a Linux terminal. If you are looking for an instruction manual that gives a step-by-step guide to secur‐ ing containers, this may not be the book for you. I don’t believe there is a one-size- fits-all approach that would work for every application in every environment and every organization. Instead, I want to help you understand what is happening when you run applications in containers and how different security mechanisms work so that you can judge the risks for yourself. As you’ll find out later in this book, containers are made with a combination of fea‐ tures from the Linux kernel. Securing containers involves using a lot of the same mechanisms as you would use on a Linux host. (I use the term “host” to cover both virtual machines and bare-metal servers.) I lay out how these mechanisms work and then show how they apply in containers. If you are an experienced system adminis‐ trator, you’ll be able to skip over some sections to get to the container-specific information. You’ll have noticed that I mentioned Linux a few times already—and yes, there are other operating systems! I’ll mention other OSs once or twice, but this book mostly focuses on Linux containers running on Linux hosts. I assume that you have some basic familiarity with containers and you have probably at least toyed with Docker or Kubernetes. You will understand terms like “pulling a container image from a registry” or “running a container” even if you don’t know exactly what is happening under the covers when you take these actions. I don’t expect you to know the details of how containers work—at least, not until you have read the book. xii | Preface

What This Book Covers We’ll start in Chapter 1 by considering threat models and attack vectors that affect container deployments, and the aspects that differentiate container security from tra‐ ditional deployment security. The remainder of the book is concerned with helping you build a thorough understanding of containers and these container-specific threats, and with how you can defend against them. Before you can really think about how to secure containers, you’ll need to know how they work. Chapter 2 sets the scene by describing some core Linux mechanisms such as system calls and capabilities that will come into play when we use containers. Then in Chapters 3 and 4, we’ll delve into the Linux constructs that containers are made from. This will give you an understanding of what containers really are and of the extent to which they are isolated from each other. We’ll compare this with virtual machine isolation in Chapter 5. In Chapter 6 you’ll learn about the contents of container images and consider how to build them with security in mind. Chapter 7 goes on to discuss supply chain security best practices, for ensuring that container images and their contents aren’t tampered with. Chapter 8 addresses the need to identify container images with known software vulnerabilities. This relies on treating containers as immutable, and Chapter 9 consid‐ ers the security benefits of taking immutability a step further, and applying a GitOps approach to deploying containers and their configuration. In Chapter 10 we will look at some optional Linux security measures that can be applied to harden containers beyond the basic implementation we saw in Chapter 4, and some variant approaches to isolating containers from each other. We will look into ways that container isolation can be compromised through dangerous but com‐ monplace misconfigurations in Chapter 11. Then we will turn to the communications between containers. Chapter 12 looks at how containers communicate and explores ways to leverage the connections between them to improve security. Chapter 13 explains the basics of keys and certificates, which containerized components can use to identify each other and set up secure net‐ work connections between themselves. This is no different for containers than it is for any other component, but this topic is included since keys and certificates are often a source of confusion in distributed systems. In Chapter 14 we will see how cer‐ tificates and other credentials can be safely (or not so safely) passed to containers at runtime. In Chapter 15 we will consider ways in which security tooling can prevent attacks at runtime, taking advantage of the features of containers. Preface | xiii

Finally, Chapter 16 reviews the top 10 security risks published by the Open Web Application Security Project and considers container-specific approaches for address‐ ing them. Spoiler alert: some of the top security risks are addressed in exactly the same way whether your application is containerized or not. What Has Changed in the Second Edition? In the five years since the first edition of this book was published in 2020, there has been considerable change in the container ecosystem. Later that year, the SolarWinds cyberattack focused attention on the software supply chain, leading to the develop‐ ment of a whole field of supply chain security. The term “GitOps” was first uttered in 2018 and has been widely adopted in the last few years, perhaps because organiza‐ tions took advantage of “runners” provided by GitHub and other repository plat‐ forms in a modern approach to CI/CD. eBPF emerged as the preeminent technology for runtime security tools and for container networking with policy enforcement. Even the fundamentals that underpin containers have evolved: they still use Linux namespaces, but the user namespace is now used quite commonly, rootless containers are a reality, and the ecosystem has moved on to control groups version 2. The communities around cloud native and containers have helped to spread educa‐ tion about security best practices, so some of the most worrying techniques (like installing packages into a running container) are thankfully much less commonplace than they used to be. They are still included in this book because it’s important that we don’t, as an industry, regress to using these antipatterns! And perhaps the biggest consolidation since I wrote the first edition: Kubernetes has become firmly established as the dominant orchestrator. A Note About Kubernetes These days the majority of folks using containers are doing so under the Kubernetes orchestrator. An orchestrator automates the process of running different workloads in a cluster of machines, and there are places in this book where I will assume you have a basic grasp of this concept. In general, I have tried to stay focused on concepts that act at the level of the underlying containers—the “data plane” in a Kubernetes deployment. Because Kubernetes workloads run in containers, this book is relevant to Kubernetes security, but it is not a comprehensive treatment of everything related to securing Kubernetes or cloud native deployments. You’ll find a good, up-to-date list of security considerations in the Kubernetes documentation, including the configuration and use of the control plane components that are outside the scope of this book. xiv | Preface

However widespread Kubernetes may be, it’s not the only option. There is widespread use of managed container platforms like AWS Elastic Container Service, AWS Fargate, Azure Container Instances, and Google Cloud Run, and Docker and Podman are often used, particularly for local development, CI pipelines, and small- scale deployments. Examples There are lots of examples in this book, and I encourage you to try them out for yourself. In the examples, I assume you are comfortable with basic Linux command-line tools like ps and grep and with the basic day-to-day activities of running container appli‐ cations through the use of tools like kubectl or docker. This book will use the former set of tools to explain a lot more about what’s happening when you use the latter! To follow along with the examples in this book, you will need access to a Linux machine or virtual machine. I created the examples using an Ubuntu 24.04 virtual machine. You should be able to achieve similar results on different Linux distribu‐ tions and using virtual machines running on your local machine or on your favorite cloud provider. How to Run Containers For many people, their main (perhaps only) experience of running containers directly is with Docker. Docker democratized the use of containers by providing a set of tools that developers generally found easy to use. From a terminal, you manipulate con‐ tainers and container images using the docker command. This docker tool is really a thin layer making API calls to Docker’s main component: a daemon that does all the hard work. Within the daemon is a component called con tainerd that is invoked whenever you want to run a container. The containerd project was donated by Docker to the Cloud Native Computing Foundation (CNCF) in 2017. The containerd component makes sure the container image you want to run is in place, and it then calls a runc component to do the business of actually instantiating a container. If you want to, you can run a container yourself by invoking containerd or even runc directly. Kubernetes uses an interface called the Container Runtime Interface (CRI) beneath which users can opt for a container runtime of their choice. The most commonly used options today are the aforementioned containerd and CRI-O (which originated from Red Hat before being donated to the CNCF). Preface | xv

The docker CLI is just one option for managing containers and images. There are several others you can use to run the kind of application containers covered in this book. Red Hat’s podman tool, originally conceived to remove reliance on a daemon component, is one such option. The examples in this book use a variety of different container tools to illustrate that there are multiple container implementations that share many common features. At the time I’m writing this second edition, Apple has just launched its containerization project. It uses the same container image for‐ mats as Docker (which you’ll learn about in Chapter 6), and the command-line interface has a lot of similarities, but as you’ll see when you get to Chapter 10, it uses a different mechanism to iso‐ late containers from each other. For that reason, several examples from this book won’t behave the same if you run them using Apple containerization. Feedback The website containersecurity.tech accompanies this book. You are invited to raise issues there with feedback and any corrections that you’d like to see in future editions. Conventions Used in This Book The following typographical conventions are used in this book: Italic Indicates new terms, URLs, email addresses, filenames, and file extensions. Constant width Used for commands and output listings, as well as within paragraphs to refer to technical elements such as library, file, image, or function names, environment variables, statements, and keywords. Constant width italic Shows text that should be replaced with user-supplied values or by values deter‐ mined by context. This element signifies a general note. xvi | Preface

Using Code Examples Supplemental code examples are available at https://containersecurity.tech. There is a sandbox environment for running these examples, along with quiz questions to test your learning, on the O’Reilly online platform. If you have a technical question or a problem using the code examples, please send email to support@oreilly.com. This book is here to help you get your job done. In general, if example code is offered with this book, you may use it in your programs and documentation. You do not need to contact us for permission unless you’re reproducing a significant portion of the code. For example, writing a program that uses several chunks of code from this book does not require permission. Selling or distributing examples from O’Reilly books does require permission. Answering a question by citing this book and quoting example code does not require permission. Incorporating a significant amount of example code from this book into your product’s documentation does require permission. We appreciate, but generally do not require, attribution. An attribution usually includes the title, author, publisher, and ISBN. For example: “Container Security, 2nd edition, by Liz Rice (O’Reilly). Copyright 2026 Vertical Shift Ltd., 979-8-341-62770-3.” If you feel your use of code examples falls outside fair use or the permission given above, feel free to contact us at permissions@oreilly.com. O’Reilly Online Learning For more than 40 years, O’Reilly Media has provided technol‐ ogy and business training, knowledge, and insight to help companies succeed. Our unique network of experts and innovators share their knowledge and expertise through books, articles, and our online learning platform. O’Reilly’s online learning platform gives you on-demand access to live training courses, in-depth learning paths, interactive coding environments, and a vast collection of text and video from O’Reilly and 200+ other publishers. For more information, visit https://oreilly.com. Preface | xvii

How to Contact Us Please address comments and questions concerning this book to the publisher: O’Reilly Media, Inc. 141 Stony Circle, Suite 195 Santa Rosa, CA 95401 800-889-8969 (in the United States or Canada) 707-827-7019 (international or local) 707-829-0104 (fax) support@oreilly.com https://oreilly.com/about/contact.html We have a web page for this book, where we list errata and any additional informa‐ tion. You can access this page at https://oreil.ly/container-security-2e. For news and information about our books and courses, visit https://oreilly.com. Find us on LinkedIn: https://linkedin.com/company/oreilly-media. Watch us on YouTube: https://youtube.com/oreillymedia. Acknowledgments I’m grateful to many people who have helped and supported me through the process of writing this book: • My editors at O’Reilly, Rita Fernando (second edition) and Virginia Wilson (first edition), for keeping everything on track and making sure the book is up to scratch • The technical reviewers who provided thoughtful comments and actionable feed‐ back on the first and second additions: Akhil Behl, Alex Pollitt, Andrew Martin, Erik St. Martin, Jed Salazar, Phil Estes, Rani Osnat, and Robert P. J. Day • My teammates at Isovalent, my former colleagues at Aqua Security, and countless people from the cloud native community, who taught me so much about con‐ tainer security over the years • Phil Pearl—my husband, my best critic and coach, and my best friend xviii | Preface