Container_security
Chapter 60: Container Security
Section titled “Chapter 60: Container Security”Overview
Section titled “Overview”This chapter covers container security best practices.
60.1 Container Security Principles
Section titled “60.1 Container Security Principles”Defense in Depth
Section titled “Defense in Depth” Container Security Layers+------------------------------------------------------------------+| || 1. Registry Security || - Use trusted images || - Scan for vulnerabilities || - Sign images || || 2. Image Security || - Minimal base images || - No secrets in images || - Multi-stage builds || || 3. Runtime Security || - Drop capabilities || - Run as non-root || - Resource limits || - Network isolation || || 4. Orchestration Security || - RBAC || - Network policies || - Pod security policies || |+------------------------------------------------------------------+60.2 Image Security
Section titled “60.2 Image Security”Best Practices
Section titled “Best Practices”# Use specific tagsFROM nginx:1.24
# Don't run as rootUSER nginx
# Use read-only filesystem# docker run --read-only nginx
# Remove unnecessary packagesRUN apt-get clean && rm -rf /var/lib/apt/lists/*60.3 Runtime Security
Section titled “60.3 Runtime Security”Container Hardening
Section titled “Container Hardening”# Don't run privilegeddocker run --privileged nginx # AVOID
# Drop capabilitiesdocker run --cap-drop=all --cap-add=NET_BIND_SERVICE nginx
# User namespace remapping# /etc/docker/daemon.json{ "userns-remap": "default"}
# seccomp profiledocker run --security-opt seccomp=default.json nginx
# AppArmor profiledocker run --security-opt apparmor=docker-default nginx60.4 Secrets Management
Section titled “60.4 Secrets Management”Docker Secrets
Section titled “Docker Secrets”# Create secretecho "password" | docker secret create db_password -
# Use in servicedocker service create --secret db_password nginxKubernetes Secrets
Section titled “Kubernetes Secrets”# Use secret as env varenv: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password60.5 Scanning Images
Section titled “60.5 Scanning Images”# Trivytrivy image nginx:latesttrivy image --severity HIGH,CRITICAL nginx:latest
# Clairclair-scanner nginx:latest
# Anchoreanchore-cli image add nginx:latestanchore-cli image vuln nginx:latest60.6 Network Policies
Section titled “60.6 Network Policies”Kubernetes Network Policy
Section titled “Kubernetes Network Policy”apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: allow-nginxspec: podSelector: matchLabels: app: nginx policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: app: client egress: - to: - podSelector: matchLabels: app: database60.7 Pod Security
Section titled “60.7 Pod Security”Pod Security Standards
Section titled “Pod Security Standards”securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 seccompProfile: type: RuntimeDefault
# CapabilitiessecurityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICESummary
Section titled “Summary”In this chapter, you learned:
- ✅ Container security principles
- ✅ Image security best practices
- ✅ Runtime security hardening
- ✅ Secrets management
- ✅ Image scanning
- ✅ Network policies
- ✅ Pod security standards
Part 12 Summary
Section titled “Part 12 Summary”In this part, you learned:
- ✅ KVM/QEMU virtualization
- ✅ Docker fundamentals
- ✅ Docker advanced networking/storage
- ✅ Kubernetes basics
- ✅ Container security
Next Chapter
Section titled “Next Chapter”Chapter 61: HA Concepts and Design
Last Updated: February 2026