Home

Awesome

Container Security Checklist: From the image to the workload

Table Of Contents


Cloud Native challenges

Legacy appsCloud Native appsCloud Native Security
Discrete, infrequent releasesfrequent releases, using CI/CDShifting left with automated testing
Very little open sourceOpen source everywhereSCA - Software composition analysis
Proprietary softwareProprietary code, Open source, Third-party softwareSoftware supply chain risk
Persistent workloadsEphemeral workloads. Ensure that your containers are stateless and immutableRuntime controls that follow the workload
Hypervisor or hardware isolationShared kernel, obscured OSEnforce least privilege on each workload
Permanent addressOrchestrated containers. Kubernetes creates DNS records for services and podsIdentity-based segmentation
Vertical control of the stackmulti-cloudDetecting cloud services misconfigurations (CSPM)
Networking monitoring and threat detection tools were based on auditd, syslog, dead-disk forensics, and it used to get the full contents of network packets to disk "packet captures". Capturing packets sotes every packet in a network to disk and runs custom pattern matching on each packet to identify an attack.Cloud native apps the traffic is encrypted. Packet captures are too costly and ineffective for cloud native environments.Using eBPF programs, you collect the events in real time without disruption to the app.

Table by Aqua Cloud Native Security Platform, more details download here

Container Threat Model

thread-model Figure by Container Security by Liz Rice

Container Security Checklist

Checklist to build and secure the images across the following phases:

Build Figure by cncf/tag-security


Supply Chain Security

Image Signing

Sign and verify images to mitigate a man in the middle (MITM) attack. Docker offers a Content Trust mechanism that allows you to cryptographically sign images using a private key. This guarantees the image, and its tags, have not been modified.

Secure the Build

Hardening Code - Secure SDLC (Software Development Life Cycle)

Secure the Image - Hardening

You can build the container images using Docker, Kaniko.

Package a single application per container. Small container images. Minimize the number of layers.

A well-designed multi-stage build contains only the minimal binary files and dependencies required for the final image, with no build tools or intermediate files. Optimize cache.

Do not use a UID below 10,000. For best security, always run your processes as a UID above 10,000. Remove setuid and setgid permissions from the images

Pulling images by digest
docker images --digests
docker pull alpine@sha256:b7233dafbed64e3738630b69382a8b231726aa1014ccaabc1947c5308a8910a7

Image Scanning

Container Security Scanners

Comparing the container scanners results:

More Material about build containers

Secure the Container Registry

Best configurations with ECR, ACR, Harbor, etc. Best practices.

There is no guarantee that the image you are pulling from the registry is trusted. It may unintentionally contain security vulnerabilities, or may have intentionally been replaced with an image compromised by attackers.

Registry Resources

Secure the Container Runtime

See the following container runtimes, there are three main types of container runtimes—low-level runtimes, high-level runtimes, and virtualized runtimes or sandboxed.

  1. Low-Level Container Runtimes:
  1. High-Level Container Runtimes
  1. Sandboxed and Virtualized Container Runtimes

Why is important Runtime Security?

Constraints

Enable detection of anomalous behaviour in applications.

Docker Security

Never make the daemon socket available for remote connections, unless you are using Docker’s encrypted HTTPS socket, which supports authentication.

The Docker daemon socket is a Unix network socket that facilitates communication with the Docker API. By default, this socket is owned by the root user. If anyone else obtains access to the socket, they will have permissions equivalent to root access to the host.

More Material about Docker Security

Secure the Infrastructure

Risk:

Best practices:

Secure the Data

Secrets are Digital credentials:

Secrets Management Tools

Open source tools:

Cloud Provider Key Management

Enterprise secrets vault:

Secure the Workloads... Running the containers

To check if the container is running in privileged mode docker inspect --format =’{{. HostConfig.Privileged}}’[container_id]

When a container is compromised, attackers may try to make use of the underlying host resources to perform malicious activity. Set memory and CPU usage limits to minimize the impact of breaches for resource-intensive containers.

docker run -d --name container-1 --cpuset-cpus 0 --cpu-shares 768 cpu-stress

Protecting a container is exactly the same as protecting any process running on Linux. Ideally, the operating system on a container host should protect the host kernel from container escapes, and prevent mutual influence between containers.

This can prevent malicious activity such as deploying malware on the container or modifying configuration. docker run --read-only alpine

Common Containers Attacks

Container Security Guides

Further reading:

Collaborate

If you find any typos, errors, outdated resources; or if you have a different point of view. Please open a pull request or contact me.

Pull requests and stars are always welcome 🙌