Docker container security
1 like966 views
The document discusses security challenges and best practices for Docker containers. It outlines risks at different stages of the container lifecycle from image development to deployment. Key risks include lack of isolation, complex ecosystems, and known vulnerabilities. The document recommends practices like using linting and scanning during development, restricting resources and access controls at deployment, and signing images from trusted sources to improve container security.
Docker container security
- 1. © 2020 ThoughtWorks Exploring Docker container security: Risks and good practices Marina Kjaer & Mónica Calderaro
- 2. Mónica Calderaro © 2020 ThoughtWorks Software Developer Marina Kjaer Software Developer @MonicaCRey
- 3. Security is a HUGE topic © 2020 ThoughtWorks
- 4. © 2020 ThoughtWorks The main challenges are that Containers are complex, the lack of isolation and the complexity of the ecosystem.
- 5. Build Ship Run Container lifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 6. Image Development Safety Use a Dockerfile linter Add a linter into your workflow to catch common security mistakes early Build Ship Run
- 7. Image Development Safety Identify and find any known vulnerabilities that may be present in an image. Docker image security scanning Build Ship Run
- 8. Image Development Safety Multistage builds Keep your image in production a small as possible by creating 2 or more containers. The first one uses all tools and libraries to build the application, the second just runs the output from the first. Build Ship Run
- 9. Image Development Safety Use a trusted image Use a minimal base image With the bare minimum that's needed for your app, for example Distroless. Build Ship Run
- 10. Image Development Safety Choose more specific tags as opposed to latest. Use fixed tags for immutability Build Ship Run
- 11. Image Development Safety Signatures allow client-side or runtime verification of the integrity and publisher of specific image tags. Verify Images to be signed Build Ship Run
- 12. Build Ship Run Container lifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 13. Image reliability Signing Images Trusted sources could include Official Docker Images, or User trusted sources signed with Docker Content Trust. Build Ship Run
- 14. Restrict Resources Build Ship Run Set resource quotas Resource quotas allow you to limit the amount of memory and CPU resources that a container can consume.
- 15. Restrict access Role Based Access Control Based on teams function, assigns no access, view only, restricted control, or full control permissions. Build Ship Run
- 16. Build Ship Run Container lifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 17. Limit Privileges Isolate containers with a user namespace Namespaces provide isolation for running processes, limiting their access to system resources without the running process being aware of the limitations. Build Ship Run
- 18. Limit Privileges Control groups They provide many useful metrics, but they also help ensure that each container gets its fair share of resources. Build Ship Run
- 19. Limit Privileges Rootless mode Run the Docker daemon as a non-root user. Build Ship Run
- 20. Protect resources API and network security Docker containers typically rely heavily on APIs and networks to communicate with each other. Build Ship Run
- 21. © 2020 ThoughtWorks Demo time © 2020 ThoughtWorks
- 22. Build Ship Run Let’s recap With the bare minimum and from trusted sources With controlled resources With the right permissions
- 23. Resources ● https://docs.docker.com/ ● https://resources.whitesourcesoftware.com/blog-w hitesource/docker-container-security-challenges-an d-best-practices ● https://www.trendmicro.com/ ● https://snyk.io/ ● https://neuvector.com/ ● https://containerjournal.com/ ● https://www.redhat.com/en/topics/security/contain er-security © 2020 ThoughtWorks ● https://docs.mirantis.com/docker-enterprise/v3.0/d ockeree-products/ucp.html ● https://sysdig.com/blog/7-docker-security-vulnerabil itie ● https://washraf.gitbooks.io/the-docker-ecosystem/c ontent/Chapter%201/Section%203/Control%20Grou ps.html
- 24. Continue the conversation on Slack © 2020 ThoughtWorks XConfEurope2020 xconfeurope2020.slack.com #talk2-docker-container-security #XConfOnline