This document provides an overview of container security best practices. It recommends scanning containers for vulnerabilities before deployment, running containers with limited privileges using security contexts, and limiting container resources consumption using limits and requests. The document also discusses container runtimes like Docker, Containerd and CRI-O, and how containers isolate processes using namespaces and cgroups.

1. Anurag Choudhary
● Developer, DevOps and
Tech Lead. Wanna be
Technical Architect
● Loves technology, movies,
nature & humanity
● Hates traffic on road but
not on the network

2. Container Security
Anurag Choudhary
Agile Network India
28th Feb 2021

3. Key Take
Aways
Pre-requsites and standardization of
development team and deliverables at
the end of a PI/Sprint.
Flatten the team, use NoOps!
Manage Spend on infrastructure.
A few how-tos!
Expectations!

4. Why?
Why NOT?
Question
Answer
Container is core of your deployment.
Container should run
- Isolated
- Immutable
- Lightweight
- Hardened
Container MUST NOT:
- Accumulate System Resources
- Work as a mole
- Blackhole & Miracle!
Containers can run alone or as a part of workload ecosystem.
Reasons

5. Jargon
Static Scan
CVE : Common Vulnerabilities and
Exposures
MITRE. [Non-Profit Organization]
NVD [National Vulnerability Database]
Words!
First container CVE : CVE-2019-5736 https://seclists.org/oss-sec/2019/q1/119

6. Container
Runtime
"We are excited to introduce Docker Engine
1.11, our first release built on runC ™ and
containerd ™. With this release, Docker is the
first to ship a runtime based on OCI
technology, demonstrating the progress the
team has made since donating our
industry-standard container format and
runtime under the Linux Foundation in June
of 2015”
Runtime
Courtesy : https://computingforgeeks.com/docker-vs-cri-o-vs-containerd/

7. Unfortunately, no one can be told what The Matrix is. You'll
have to see it for yourself.
Matrix, 1999
Character : Morpheus

8. In-Depth!
Docker container are isolated using Namespaces:
● IPC namespace
● Mount namespace
● Network namespace
● Process (PID) namespace
● User namespace
● UTS [Unix Time Sharing]
Namespace 2
Container
C
Namespace 1
Container
A
Container
B
Container
D
Docker containers use Control Groups to control or limit
access to system resources.
Also known as cgroups.
CGroups are hierarchical policies.
CGroups are formed using multiple nodes.
A Node is a collection of process.
Types:
● Memory
● TLB
● CPU
● Bulk IO
● Net
● Device (/dev/)
CGROUPS

9. How?
Static Scan
Container Scan
Repository CI/CD Image
Container
Registry
Repository CI/CD Image
Container
Registry
Scan
● Container must be scanned for Vulnerabilities.
● Maintain a standard from development to deployment.
● Use hardened base images, even for development!
● Scan EVERY image before it goes to your Container
Registry/Repository
● If you are using Elastic Container Registry (ECR) in AWS it is
free!
● Azure Defender use Qualys and has got a few limitations.
● Third-party tools can be used. Eg. Anchore, Qualys, DTR.

10. How?
System
Hardening
By default a Pod/container runs with UID 0
Kubernetes provides options for running
workloads under limited SECURITY CONTEXTS:
● runAsUser
● runAsGroup
● fsGroup
Words!
● Containerd
● CRI-O
● Docker
Container Runtimes supported by
Kubernetes
https://kubernetes.io/docs/setup/production-environment/container-runtimes/
spec:
securityContext:
runAsUser: 1000
runAsGroup: 3000
fsGroup: 2000
containers: ...

11. Limit memory consumption in your pod
template.
Also, Limit the CPU consumption.
How?
Runtime
limits
containers:
- name: memory-demo-ctr
image: polinux/stress
resources:
limits:
memory: "200Mi"
cpu: "1"
requests:
memory: "100Mi"
cpu: "0.5"
kubectl top pod podname --namespace=namespace

12. Questions?
Programming is difficult business. It should never be undertaken in ignorance.
- Douglas Crockford