Container Security
Securing containers requires a multi-layered approach: secure images, secure registries, secure orchestration, and secure runtime environments.
Security Layers
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ Container Security โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 1. Image Security โ
โ - Minimal base images โ
โ - No root user โ
โ - Scan for vulnerabilities โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 2. Registry Security โ
โ - Image signing โ
โ - Access control โ
โ - Vulnerability scanning โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 3. Orchestrator Security โ
โ - RBAC โ
โ - Network policies โ
โ - Pod security standards โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโค
โ 4. Runtime Security โ
โ - Read-only filesystem โ
โ - No privileged containers โ
โ - Resource limits โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
Secure Dockerfile
# Use minimal base image
FROM node:20-alpine
# Don't run as root
RUN addgroup -S appgroup && adduser -S appuser -G appgroup
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY --chown=appuser:appgroup . .
USER appuser
EXPOSE 3000
CMD ["node", "server.js"]
Kubernetes Security
# Pod Security Context
apiVersion: v1
kind: Pod
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 2000
containers:
- name: app
image: myapp:latest
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
resources:
limits:
memory: "128Mi"
cpu: "500m"
Security Tools
- Trivy โ Scan container images for vulnerabilities
- Snyk โ Find and fix vulnerabilities in dependencies
- Falco โ Runtime threat detection for Kubernetes
- OPA/Gatekeeper โ Policy enforcement for Kubernetes