Labs ICT
โญ Pro Login

Container Security

Securing container images, registries, and runtime environments

Container Security

Securing containers requires a multi-layered approach: secure images, secure registries, secure orchestration, and secure runtime environments.

Security Layers


  โ”Œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”
  โ”‚         Container Security           โ”‚
  โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
  โ”‚  1. Image Security                  โ”‚
  โ”‚     - Minimal base images           โ”‚
  โ”‚     - No root user                  โ”‚
  โ”‚     - Scan for vulnerabilities      โ”‚
  โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
  โ”‚  2. Registry Security               โ”‚
  โ”‚     - Image signing                 โ”‚
  โ”‚     - Access control                โ”‚
  โ”‚     - Vulnerability scanning        โ”‚
  โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
  โ”‚  3. Orchestrator Security            โ”‚
  โ”‚     - RBAC                          โ”‚
  โ”‚     - Network policies              โ”‚
  โ”‚     - Pod security standards        โ”‚
  โ”œโ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”ค
  โ”‚  4. Runtime Security                 โ”‚
  โ”‚     - Read-only filesystem          โ”‚
  โ”‚     - No privileged containers      โ”‚
  โ”‚     - Resource limits               โ”‚
  โ””โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”€โ”˜

Secure Dockerfile


  # Use minimal base image
  FROM node:20-alpine

  # Don't run as root
  RUN addgroup -S appgroup && adduser -S appuser -G appgroup

  WORKDIR /app
  COPY package*.json ./
  RUN npm ci --only=production

  COPY --chown=appuser:appgroup . .

  USER appuser

  EXPOSE 3000
  CMD ["node", "server.js"]

Kubernetes Security


  # Pod Security Context
  apiVersion: v1
  kind: Pod
  spec:
    securityContext:
      runAsNonRoot: true
      runAsUser: 1000
      fsGroup: 2000
    containers:
    - name: app
      image: myapp:latest
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop:
            - ALL
      resources:
        limits:
          memory: "128Mi"
          cpu: "500m"

Security Tools

  • Trivy โ€” Scan container images for vulnerabilities
  • Snyk โ€” Find and fix vulnerabilities in dependencies
  • Falco โ€” Runtime threat detection for Kubernetes
  • OPA/Gatekeeper โ€” Policy enforcement for Kubernetes

๐Ÿงช Quick Quiz

What is the principle of least privilege in container security?