Alexis Kestler
Hi there! Containers offer amazing benefits – portability, speed, scalability. But security remains a major concern. In fact, according to Statista, 58% of organizations cite security as a key challenge with containers. And CVE Details shows 62 vulnerabilities in Docker alone.
But don‘t worry! After reading this guide, you‘ll know exactly how to secure containers across your DevOps pipeline. I‘ll explain 9 critical security best practices drawn from my decade of experience as a DevOps engineer and container geek.
Ready to make your containers bulletproof? Let‘s dive in!
Why Container Security Matters
Before we get tactical, it‘s important to understand why securing containers is so crucial these days.
Benefits lead to massive adoption
According to Flexera‘s 2021 State of the Cloud Report, containers have exploded in popularity, with 94% of organizations now using them – up from just 35% in 2016. By packaging apps into portable images, containers enable:
- Faster development cycles -containers allow for rapid iteration
- Improved portability – they can run consistently across environments
- Better resource utilization – containers share hosts efficiently
Dynamic nature increases risks
However, these same benefits introduce security risks:
- Containers access hardware via the host OS kernel, expanding the attack surface
- They are ephemeral and dynamically deployed, making monitoring difficult
- Images can embed vulnerabilities if base images or dependencies have flaws
The industry recognizes these risks. In a recent survey by the Cloud Native Computing Foundation, 58% of respondents cited improving security as a top priority, second only to increasing adoption.
Clearly, getting container security right matters more than ever. Let‘s look at how to do it properly.
Best Practice #1: Use Trusted Container Images
Container images form the foundation of your deployments. But publicly available images often have vulnerabilities – according to Tim Mackey of Synopsys, 85% of official Docker Hub images contain at least one high priority security issue!
Some best practices when sourcing container images:
Build your own
Ideally, build images yourself from scratch using trusted base images like Ubuntu, Alpine, or Red Hat Universal Base Image. Avoid installing unnecessary packages to reduce the attack surface.
Prefer vendor certified images
If using public images, opt for certified containers from vendors like AWS, Google, Microsoft, and Red Hat who scan images for vulnerabilities.
Continuously scan images
Regardless of source, continuously scan images for malware and vulnerabilities using tools like Trivy, Clair, and Anchore. Bake scanning into your CI/CD pipeline to catch issues early.
Use a private registry
Store custom images in a private registry only accessible within your environment, not publicly exposed like Docker Hub. Scan private registries too.
By being meticulous about sourcing and scanning container images, you avoid baking in vulnerabilities from the start.
Best Practice #2: Limit Container Capabilities
Containers should operate with the principle of least privilege – only the permissions needed for their function, nothing more. Some tips:
Avoid privileged containers
Don‘t run containers in privileged mode unless absolutely necessary. Privileged containers can easily escalate or escape constraints.
Drop Linux capabilities
Linux has over 20 capabilities that enable actions like loading kernel modules or accessing devices. Most are not needed by containers – drop them through tools like PodSecurityPolicy.
Restrict syscalls
Reduce the Linux syscall surface exposed to containers using seccomp, AppArmor, OPA Gatekeeper policies. Block unused syscalls that could be abused.
Make volumes read-only
Mount volumes read-only unless the container truly needs write access. Immutable infrastructure is inherently more secure.
Use user namespaces
Map container UIDs to a non-root user on the host for an extra layer of isolation. Don‘t let containers run as PID 1 which enables privilege escalation.
Segmenting containers and minimizing their capabilities results in a more secure environment overall.
Best Practice #3: Continuously Scan Containers
With containers dynamically spinning up and down, how do you keep track of their security posture? The answer is continuous scanning at each stage:
Scan container images
Catch flaws in images using static analysis tools like Trivy, Clair, Anchore that scan for malware, vulnerabilities, misconfigurations.
Scan infrastructure
Inspect the Kubernetes pods, nodes, platform for risks using tools like Falco, Sysdig, or proprietary scanners. Monitor hosts for compliance.
Scan running containers
Analyze the behavior, network traffic, process activity of running containers for signs of intrusions or threats.
Integrate into CI/CD
Add scanning gates into your pipelines – halt deployments if critical issues are detected. Promote immutable scanned images across envs.
Schedule recurring production scans
Periodically scan production clusters for risks like newly disclosed exploits, cryptojacking attacks, or insider threats.
Continuous scanning acts as your immune system, catching issues proactively before they lead to incidents.
Open Source vs Commercial Scanning Tools
There are great open source scanners like Clair, Trivy, and Falco for container security. But commercial tools from vendors like Aqua, StackRox, and Sysdig offer added benefits:
Benefits of Open Source Scanners
- Free to use
- Community maintained
- Customizable
Added Value of Commercial Scanners
- Broader vulnerability coverage
- Dashboards and analytics
- Automatic air gapped scanning
- Streamlined workflow integration
- Prioritization based on risk levels
- Support services
The choice depends on your budget and needs. For most, an integrated commercial scanner like Sysdig or Aqua balances cost, maintenance, and advanced features.
Best Practice #4: Harden Container Networks
Since containers share an OS, hardening networking is crucial to isolate workloads.
Segment networks
Use namespaces and NetworkPolicies to segregate pods based on labels like environment (dev vs prod) or workload type (web vs db). Zero trust – allow only explicitly whitelisted traffic.
Encrypt traffic
Encrypt all pod to pod communication with mTLS. Don‘t allow unencrypted connections.
Monitor communications
Inspect network traffic between containers and to external endpoints for signs of breaches using tools like Sysdig or network sniffers.
Limit external access
Restrict ingress points through API gateways and firewall policies. Don‘t expose pods directly. Lock down egress to prevent data exfiltration.
With proper network controls, you can contain threats and prevent lateral movement if any container is compromised.
Kubernetes Security Best Practices
Here are some additional tips for securing Kubernetes:
- Require pod-level security policies to enforce least privilege
- Manage secrets securely using tools like HashiCorp Vault
- Enable role-based access control (RBAC) for all users
- Restrict Kubernetes dashboard access
- Continuously monitor Kubernetes APIs for suspicious activity
- Use CIS Kubernetes Benchmarks to track compliance
Kubernetes provides native controls you can leverage for security.
Shifting Security Left with CI/CD Integration
The biggest mindset shift organizations must make is to embed security checks directly into their CI/CD pipelines. This "shifts security left" rather than tacking it on at the end.
Some tips for CI/CD integration:
- Scan images for vulnerabilities before deployment
- Analyze IaC templates for security misconfigurations using tools like tfsec or checkov. Stop bad configs from being applied.
- Run static analysis on code (SAST) to catch bugs and credential leaks before they reach runtime.
- Perform dynamic scanning of running containers to validate no threats.
- Promote immutable scanned images across environments. Don‘t modify images between dev, test, and prod.
- Generate security scorecards per application to incentivize developers to improve practices. Gamify security!
By integrating security into existing CI/CD flows, rather than separate scanning pipelines, you encourage developers to own and prioritize securing their apps and infrastructure.
An FAQ on Container Security
Still have some questions? Here are answers to some common container security FAQs:
Are host protections enough?
Not quite. Though containers share the host OS kernel, each container runs isolated user-space instances. So threats can hide within containers even if the host looks secure. You need visibility at the container level.
Isn‘t scanning images enough?
Continuous image scanning is a great first step, but not sufficient by itself. Vulnerabilities can get introduced at runtime through bad configs, network intrusions, insider risks, and more. You need runtime security in addition to image scanning.
How is Kubernetes secured?
Enable Kubernetes security features like RBAC, Network Policies, Pod Security Policies, and use CIS Benchmarks. Monitor the Kubernetes APIs. Scan the underlying hosts and infrastructure. Tools like Falco analyze from the kernel level.
What about serverless containers?
Managed services like AWS Fargate and Lambda simplify operations by abstracting away servers. But you still need to secure the workloads and integrate security into the SDLC per best practices outlined here.
How do I learn more?
Checkout the blogs from Aqua Security, Sysdig, and StackRox which offer in-depth container security guides. The Cloud Native Computing Foundation (CNCF) also provides training and certification.
Final Thoughts
I hope these tips give you a good foundation for building a robust container security strategy. Feel free to reach out if you have any other questions!
The key is to embed security across the entire container lifecycle – not just as an afterthought. Take an end-to-end approach spanning your images, pipelines, infrastructure, and workflows.
Stay vigilant and keep those containers secure. Your apps and customers will thank you!
