The document discusses security challenges and best practices for Docker containers. It outlines risks at different stages of the container lifecycle from image development to deployment. Key risks include lack of isolation, complex ecosystems, and known vulnerabilities. The document recommends practices like using linting and scanning during development, restricting resources and access controls at deployment, and signing images from trusted sources to improve container security.
5. Build Ship Run
Container lifecycle
● Code Analysis
● Image Hardening
● Image Scanning
● Image signing
● Resources Control
● User Access Control
● Host and Kernel
security
● Access Controls
● Other Resources
6. Image Development Safety
Use a Dockerfile linter
Add a linter into your workflow to catch common
security mistakes early
Build
Ship
Run
7. Image Development Safety
Identify and find any known vulnerabilities that may
be present in an image.
Docker image security scanning
Build
Ship
Run
8. Image Development Safety
Multistage builds
Keep your image in production a small as possible
by creating 2 or more containers. The first one uses
all tools and libraries to build the application, the
second just runs the output from the first.
Build
Ship
Run
9. Image Development Safety
Use a trusted image
Use a minimal base image
With the bare minimum that's needed for your
app, for example Distroless.
Build
Ship
Run
11. Image Development Safety
Signatures allow client-side or runtime verification
of the integrity and publisher of specific image
tags.
Verify Images to be signed
Build
Ship
Run
12. Build Ship Run
Container lifecycle
● Code Analysis
● Image Hardening
● Image Scanning
● Image signing
● Resources Control
● User Access Control
● Host and Kernel
security
● Access Controls
● Other Resources
15. Restrict access
Role Based Access Control
Based on teams function, assigns no access, view
only, restricted control, or full control
permissions.
Build
Ship
Run
16. Build Ship Run
Container lifecycle
● Code Analysis
● Image Hardening
● Image Scanning
● Image signing
● Resources Control
● User Access Control
● Host and Kernel
security
● Access Controls
● Other Resources
17. Limit Privileges
Isolate containers with a user namespace
Namespaces provide isolation for running
processes, limiting their access to system resources
without the running process being aware of the
limitations.
Build
Ship
Run
18. Limit Privileges
Control groups
They provide many useful metrics, but they also
help ensure that each container gets its fair share
of resources.
Build
Ship
Run
20. Protect resources
API and network security
Docker containers typically rely heavily on APIs and
networks to communicate with each other.
Build
Ship
Run