4 Repos
Tools and mechanisms for securing containerized environments and isolating processes from the host system.
Distinguishing note: Focuses on security isolation primitives like rootless namespaces rather than general infrastructure management.
Explore 4 awesome GitHub repositories matching devops & infrastructure · Container Security. Refine with filters or upvote what's useful.
NSQ is a distributed, brokerless messaging platform designed for high-throughput, fault-tolerant communication. By utilizing a decentralized topology, it eliminates single points of failure and allows for horizontal scaling across clusters. The system organizes message streams into topics and channels, effectively decoupling producers from consumers to support both streaming and job-oriented workloads. The platform distinguishes itself through a lookup-service-based discovery mechanism that enables clients to dynamically locate producers at runtime without requiring centralized coordination.
Secures containerized messaging services by mounting certificates for encrypted communication.
Distroless provides a collection of security-hardened, minimal base container images designed to reduce attack surfaces by excluding non-essential system utilities, package managers, and shells. These images are constructed to contain only an application and its specific runtime dependencies, enforcing the principle of least privilege by configuring environments for non-root execution. The project distinguishes itself through a focus on supply chain integrity and reproducible builds. It utilizes declarative build configurations to track package versions and validates container image integrity
Executes applications in stripped-down container environments that exclude shells and package managers.
Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola
Applies kernel-level security mechanisms to container processes to restrict system calls and isolate workloads from the host.
rkt ist eine sichere Linux-Container-Engine und ein Pod-nativer Container-Manager. Er bietet eine komponierbare Ausführungsumgebung zum Starten und Verwalten isolierter Anwendungscontainer unter Linux und dient als Runtime, die auf offenen Industriestandards für Image-Formate und Netzwerkschnittstellen basiert. Das System zeichnet sich durch ein Pod-natives Ausführungsmodell aus, das mehrere Container und geteilte Ressourcen in einzelnen, in sich geschlossenen Einheiten gruppiert. Es nutzt einsteckbare Ausführungs-Engines, um eine sichere Isolierung zu gewährleisten, einschließlich der Verwendung hardwarebasierter Virtualisierung, um Sicherheitsgrenzen zwischen dem Host-System und laufenden Anwendungen zu schaffen. Das Projekt deckt ein breites Spektrum an Funktionen im Container-Management ab, einschließlich OCI-konformer Image-Ausführung und CNI-basierter Vernetzung. Es bietet zudem die Integration mit Cluster-Orchestratoren und System-Initialisierungswerkzeugen zur Verwaltung von Workloads in verteilten Umgebungen.
Secures the host system by isolating containers through hardware virtualization and security modules.