4 repository-uri
Tools and mechanisms for securing containerized environments and isolating processes from the host system.
Distinguishing note: Focuses on security isolation primitives like rootless namespaces rather than general infrastructure management.
Explore 4 awesome GitHub repositories matching devops & infrastructure · Container Security. Refine with filters or upvote what's useful.
NSQ is a distributed, brokerless messaging platform designed for high-throughput, fault-tolerant communication. By utilizing a decentralized topology, it eliminates single points of failure and allows for horizontal scaling across clusters. The system organizes message streams into topics and channels, effectively decoupling producers from consumers to support both streaming and job-oriented workloads. The platform distinguishes itself through a lookup-service-based discovery mechanism that enables clients to dynamically locate producers at runtime without requiring centralized coordination.
Secures containerized messaging services by mounting certificates for encrypted communication.
Distroless provides a collection of security-hardened, minimal base container images designed to reduce attack surfaces by excluding non-essential system utilities, package managers, and shells. These images are constructed to contain only an application and its specific runtime dependencies, enforcing the principle of least privilege by configuring environments for non-root execution. The project distinguishes itself through a focus on supply chain integrity and reproducible builds. It utilizes declarative build configurations to track package versions and validates container image integrity
Executes applications in stripped-down container environments that exclude shells and package managers.
Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola
Applies kernel-level security mechanisms to container processes to restrict system calls and isolate workloads from the host.
rkt este un motor de containere Linux securizat și un manager de containere pod-native. Oferă un mediu de execuție compozabil pentru lansarea și gestionarea containerelor de aplicații izolate pe Linux, servind ca un runtime conceput în jurul standardelor industriale deschise pentru formate de imagini și interfețe de rețea. Sistemul se distinge printr-un model de execuție pod-native care grupează mai multe containere și resurse partajate în unități unice, auto-conținute. Utilizează motoare de execuție pluggable pentru a oferi izolare securizată, inclusiv utilizarea virtualizării bazate pe hardware pentru a crea limite de securitate între sistemul host și aplicațiile care rulează. Proiectul acoperă capabilități largi în gestionarea containerelor, inclusiv execuția imaginilor conforme cu OCI și rețelistică bazată pe CNI. De asemenea, oferă integrare cu orchestratoare de clustere și instrumente de inițializare a sistemului pentru a gestiona workload-urile în medii distribuite.
Secures the host system by isolating containers through hardware virtualization and security modules.