4 个仓库
Tools and mechanisms for securing containerized environments and isolating processes from the host system.
Distinguishing note: Focuses on security isolation primitives like rootless namespaces rather than general infrastructure management.
Explore 4 awesome GitHub repositories matching devops & infrastructure · Container Security. Refine with filters or upvote what's useful.
NSQ is a distributed, brokerless messaging platform designed for high-throughput, fault-tolerant communication. By utilizing a decentralized topology, it eliminates single points of failure and allows for horizontal scaling across clusters. The system organizes message streams into topics and channels, effectively decoupling producers from consumers to support both streaming and job-oriented workloads. The platform distinguishes itself through a lookup-service-based discovery mechanism that enables clients to dynamically locate producers at runtime without requiring centralized coordination.
Secures containerized messaging services by mounting certificates for encrypted communication.
Distroless provides a collection of security-hardened, minimal base container images designed to reduce attack surfaces by excluding non-essential system utilities, package managers, and shells. These images are constructed to contain only an application and its specific runtime dependencies, enforcing the principle of least privilege by configuring environments for non-root execution. The project distinguishes itself through a focus on supply chain integrity and reproducible builds. It utilizes declarative build configurations to track package versions and validates container image integrity
Executes applications in stripped-down container environments that exclude shells and package managers.
Containerd is a daemon-based container runtime that manages the complete lifecycle of containers on a host system. It functions as a core orchestration backend, handling image distribution, storage, and process execution while adhering to industry-standard specifications for container execution and configuration. The project is distinguished by its modular, plugin-based architecture, which allows for the extension of storage, runtime, and networking capabilities without requiring a full daemon recompile. It utilizes a shim-based execution model to delegate low-level operations, ensuring isola
Applies kernel-level security mechanisms to container processes to restrict system calls and isolate workloads from the host.
rkt 是一个安全的 Linux 容器引擎和 Pod 原生容器管理器。它提供了一个可组合的执行环境,用于在 Linux 上启动和管理隔离的应用程序容器,作为一个围绕镜像格式和网络接口的开放行业标准设计的运行时。 该系统以 Pod 原生执行模型为特色,将多个容器和共享资源分组为单个、自包含的单元。它利用可插拔的执行引擎提供安全隔离,包括使用基于硬件的虚拟化在主机系统和运行中的应用程序之间创建安全边界。 该项目涵盖了容器管理的广泛功能,包括符合 OCI 标准的镜像执行和基于 CNI 的网络。它还提供与集群编排器和系统初始化工具的集成,以管理跨分布式环境的工作负载。
Secures the host system by isolating containers through hardware virtualization and security modules.