Docker and Kubernetes Container Security
Introduction to Container Security
Containers revolutionized application deployment, but they introduce new attack vectors. Security must cover everything from base images to Kubernetes orchestration, including runtime protection and network policies.
Docker Image Security
1. Base Image Selection
- Use official and verified images (Docker Hub verified publishers)
- Prefer Alpine Linux or Distroless for a smaller attack surface
- Avoid :latest images - always specify versions
- Minimize layers and remove unnecessary tools
2. Vulnerability Scanning
- Trivy: Open-source scanner by Aqua Security
- Grype: Vulnerability scanning for images and filesystems
- Clair: Static vulnerability analysis
- Snyk Container: CI/CD integration
- Automated scanning in the CI/CD pipeline before the push
3. Image Signing
- Docker Content Trust (Notary) for image signing
- Sigstore/Cosign for supply chain security
- Integrity verification before deployment
Docker Runtime Security
Docker container hardening:
- User Namespaces: Do not run as root (USER directive)
- Capabilities: Drop all + add only the necessary ones (--cap-drop=ALL)
- Read-only Filesystem: --read-only for immutable containers
- No New Privileges: --security-opt=no-new-privileges
- Resource Limits: --memory, --cpus to prevent DoS
- Seccomp Profiles: Filter dangerous syscalls
- AppArmor/SELinux: Mandatory access control
Kubernetes Security
1. RBAC and Access Control
- Least privilege: specific Roles and RoleBindings
- Dedicated Service Accounts per application
- Avoid ClusterAdmin except for critical automation
- Audit logging of all API calls
2. Pod Security Standards
- Privileged: No restrictions (avoid)
- Baseline: Prevents known escalations
- Restricted: Maximum hardening for production
- Pod Security Admission controller for enforcement
3. Network Policies
- Default deny all + explicit allow as needed
- Segmentation by namespace and labels
- Egress control to prevent exfiltration
- Integration with CNI plugins (Calico, Cilium)
Secrets Management
- Never hardcode secrets in images or code
- Kubernetes Secrets: Base64 encoded (not encrypted!)
- External Secrets Operator: Integration with external vaults
- Sealed Secrets: Asymmetric encryption for GitOps
- HashiCorp Vault: Dynamic secrets and automatic rotation
- AWS Secrets Manager / Azure Key Vault: Cloud-native options
- Encryption at rest for etcd (--encryption-provider-config)
Runtime Security
Runtime protection tools:
- Falco: Runtime threat detection with eBPF (CNCF)
- Tetragon: eBPF-based security observability (Cilium)
- Sysdig Secure: Container forensics and compliance
- Aqua Security: Full lifecycle container security
- Prisma Cloud: CWPP (Cloud Workload Protection Platform)
They detect: anomalous process spawning, suspicious network connections, file system changes, privilege escalation attempts
Service Mesh Security
- Istio: Automatic mTLS, authorization policies, traffic encryption
- Linkerd: Lightweight service mesh with zero-trust networking
- Consul Connect: Service-to-service encryption and authorization
- Automatic certificate rotation
- Fine-grained access control between microservices
- Observability: distributed tracing and metrics
Supply Chain Security
- SBOM (Software Bill of Materials): Syft, Tern for generation
- Admission Controllers: OPA/Gatekeeper, Kyverno for policy enforcement
- Image Provenance: SLSA framework compliance
- Registry Security: Harbor, Artifactory with integrated scanning
- Signing and verification of artifacts (Cosign, Notary v2)
- Continuous vulnerability management
Best Practices
- [OK] Scan images at every stage of the pipeline
- [OK] Implement Pod Security Standards at the Restricted level
- [OK] Default deny network policies for all namespaces
- [OK] External secrets (never in Git or images)
- [OK] Runtime monitoring with Falco or equivalent
- [OK] Audit logs enabled and centralized
- [OK] Regular updates of cluster and components
- [OK] Encrypted etcd backup
- [OK] Tested disaster recovery plans
- [OK] Zero-trust networking with service mesh
