Container security
These rules are mainly oriented to docker environment and k8s, but the spirit still the same with other container runners.
A good alternative tool than docker is podman and podman-compose. It work like a charm with dockerfile and docker-compose.
Docker rules
1. Up-To-Date
Your platform running container to be up-to-date. Operating system, Orchestartor, Container engine and the kernel of this host.
Remember that the kernel is shared between several containers which is the major flaw of containers. If possible, run docker container inside smalls and lites VM is a good method to mitigate kernel path attacks. CleverCloud, AWS and many more cloud providers already use this method.
Remember dirty cow 🐮 vulnerability affecting the linux kernel.
2. Docker deamon
Never give access to the docker deamon or mounting them into a container. The deamon socket give access to root rights.
Bad exemple: crapy deamon mounting as a volume inside a docker-compose file 🤢
More informations about tuning docker deamon here.
3. Use a unprivileged user
Use an unprivileged user inside containers to prevent priviledge escalation.
In k8s this is configurable in the Security Context documentation.
4. Limit container capabilities
Limit container capabilities with linux kernel features.
Never launch container with --privileged flag.
The most secure way is to launch the container with the --cap-drop all flag and add manually capacity with --cap-add <capability> flag.
In k8s you can defined capabilities with the security context.
5. Disable inter-container communication
By default, containers can communicate with the docker0 bridged network. It can be disable by launching the docker deamon with the --icc=false flag.
6. Use Linux Security Module
ToDo
7. Use security scanning tool
You could use sast tool for scanning your dockerfile, helm and others container related files.
Semgrep is a great tool with dockerfile and config files ruleset. It scan bad practices in the static files.
Trivy tool is also a good tool for scanning build images. It analyses version of image component and compare them with an open source vulnerability database. Very good for analyse a complete image registry.