Downloaded 11 times
Uploaded byThoughtworks
Docker container security
The document discusses security challenges and best practices for Docker containers. It outlines risks at different stages of the container lifecycle from image development to deployment. Key risks include lack of isolation, complex ecosystems, and known vulnerabilities. The document recommends practices like using linting and scanning during development, restricting resources and access controls at deployment, and signing images from trusted sources to improve container security.
More Related Content
Similar to Docker container security
Docker container security
- 1. © 2020 ThoughtWorks ExploringDocker container security: Risks and good practices Marina Kjaer & Mónica Calderaro
- 2. Mónica Calderaro © 2020ThoughtWorks Software Developer Marina Kjaer Software Developer @MonicaCRey
- 3. Security is a HUGEtopic © 2020 ThoughtWorks
- 4. © 2020 ThoughtWorks Themain challenges are that Containers are complex, the lack of isolation and the complexity of the ecosystem.
- 5. Build Ship Run Containerlifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 6. Image Development Safety Usea Dockerfile linter Add a linter into your workflow to catch common security mistakes early Build Ship Run
- 7. Image Development Safety Identifyand find any known vulnerabilities that may be present in an image. Docker image security scanning Build Ship Run
- 8. Image Development Safety Multistagebuilds Keep your image in production a small as possible by creating 2 or more containers. The first one uses all tools and libraries to build the application, the second just runs the output from the first. Build Ship Run
- 9. Image Development Safety Usea trusted image Use a minimal base image With the bare minimum that's needed for your app, for example Distroless. Build Ship Run
- 10. Image Development Safety Choosemore specific tags as opposed to latest. Use fixed tags for immutability Build Ship Run
- 11. Image Development Safety Signaturesallow client-side or runtime verification of the integrity and publisher of specific image tags. Verify Images to be signed Build Ship Run
- 12. Build Ship Run Containerlifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 13. Image reliability Signing Images Trustedsources could include Official Docker Images, or User trusted sources signed with Docker Content Trust. Build Ship Run
- 14. Restrict Resources Build Ship Run Set resourcequotas Resource quotas allow you to limit the amount of memory and CPU resources that a container can consume.
- 15. Restrict access Role BasedAccess Control Based on teams function, assigns no access, view only, restricted control, or full control permissions. Build Ship Run
- 16. Build Ship Run Containerlifecycle ● Code Analysis ● Image Hardening ● Image Scanning ● Image signing ● Resources Control ● User Access Control ● Host and Kernel security ● Access Controls ● Other Resources
- 17. Limit Privileges Isolate containerswith a user namespace Namespaces provide isolation for running processes, limiting their access to system resources without the running process being aware of the limitations. Build Ship Run
- 18. Limit Privileges Control groups Theyprovide many useful metrics, but they also help ensure that each container gets its fair share of resources. Build Ship Run
- 19. Limit Privileges Rootless mode Runthe Docker daemon as a non-root user. Build Ship Run
- 20. Protect resources API andnetwork security Docker containers typically rely heavily on APIs and networks to communicate with each other. Build Ship Run
- 21. © 2020 ThoughtWorks Demotime © 2020 ThoughtWorks
- 22. Build Ship Run Let’srecap With the bare minimum and from trusted sources With controlled resources With the right permissions
- 23. Resources ● https://docs.docker.com/ ● https://resources.whitesourcesoftware.com/blog-w hitesource/docker-container-security-challenges-an d-best-practices ●https://www.trendmicro.com/ ● https://snyk.io/ ● https://neuvector.com/ ● https://containerjournal.com/ ● https://www.redhat.com/en/topics/security/contain er-security © 2020 ThoughtWorks ● https://docs.mirantis.com/docker-enterprise/v3.0/d ockeree-products/ucp.html ● https://sysdig.com/blog/7-docker-security-vulnerabil itie ● https://washraf.gitbooks.io/the-docker-ecosystem/c ontent/Chapter%201/Section%203/Control%20Grou ps.html
- 24. Continue the conversation onSlack © 2020 ThoughtWorks XConfEurope2020 xconfeurope2020.slack.com #talk2-docker-container-security #XConfOnline