Container Security
Chapter 61: Container Security
Section titled “Chapter 61: Container Security”Overview
Section titled “Overview”This chapter covers container security best practices.
Why This Matters in DevOps/SRE
Section titled “Why This Matters in DevOps/SRE”Container security is critical - containers share the host kernel and can be a vector for attacks. A single vulnerable container can compromise the entire host and other containers.
┌─────────────────────────────────────────────────────────────────────────────┐│ CONTAINER SECURITY IN DEVOPS │├─────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ SECURITY LAYERS │ ││ │ │ ││ │ • Image Security - Scan for vulnerabilities, use minimal images │ ││ │ • Runtime Security - Run as non-root, limit capabilities │ ││ │ • Network Security - Network policies, segmentation │ ││ │ • Secrets Management - Never store secrets in images │ ││ │ • Pod Security - Security contexts, admission controllers │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ ││ ┌─────────────────────────────────────────────────────────────────────┐ ││ │ COMMON THREATS │ ││ │ │ ││ │ • Image vulnerabilities - Outdated base images with CVEs │ ││ │ • Privilege escalation - Container breaks out to host │ ││ │ • Secrets exposure - Credentials in image layers │ ││ │ • Supply chain attacks - Compromised registries │ ││ │ • Resource exhaustion - DoS via container │ ││ │ │ ││ └─────────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────┘61.1 Container Security Principles
Section titled “61.1 Container Security Principles”Defense in Depth
Section titled “Defense in Depth” Container Security Layers+------------------------------------------------------------------+| || 1. Registry Security || - Use trusted images || - Scan for vulnerabilities || - Sign images || || 2. Image Security || - Minimal base images || - No secrets in images || - Multi-stage builds || || 3. Runtime Security || - Drop capabilities || - Run as non-root || - Resource limits || - Network isolation || || 4. Orchestration Security || - RBAC || - Network policies || - Pod security policies || |+------------------------------------------------------------------+61.2 Image Security
Section titled “61.2 Image Security”Best Practices
Section titled “Best Practices”# Use specific tagsFROM nginx:1.24
# Don't run as rootUSER nginx
# Use read-only filesystem# docker run --read-only nginx
# Remove unnecessary packagesRUN apt-get clean && rm -rf /var/lib/apt/lists/*61.3 Runtime Security
Section titled “61.3 Runtime Security”Container Hardening
Section titled “Container Hardening”# Don't run privilegeddocker run --privileged nginx # AVOID
# Drop capabilitiesdocker run --cap-drop=all --cap-add=NET_BIND_SERVICE nginx
# User namespace remapping# /etc/docker/daemon.json{ "userns-remap": "default"}
# seccomp profiledocker run --security-opt seccomp=default.json nginx
# AppArmor profiledocker run --security-opt apparmor=docker-default nginx61.4 Secrets Management
Section titled “61.4 Secrets Management”Docker Secrets
Section titled “Docker Secrets”# Create secretecho "password" | docker secret create db_password -
# Use in servicedocker service create --secret db_password nginxKubernetes Secrets
Section titled “Kubernetes Secrets”# Use secret as env varenv: - name: DB_PASSWORD valueFrom: secretKeyRef: name: db-secret key: password61.5 Scanning Images
Section titled “61.5 Scanning Images”# Trivytrivy image nginx:latesttrivy image --severity HIGH,CRITICAL nginx:latest
# Clairclair-scanner nginx:latest
# Anchoreanchore-cli image add nginx:latestanchore-cli image vuln nginx:latest61.6 Network Policies
Section titled “61.6 Network Policies”Kubernetes Network Policy
Section titled “Kubernetes Network Policy”apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: allow-nginxspec: podSelector: matchLabels: app: nginx policyTypes: - Ingress - Egress ingress: - from: - podSelector: matchLabels: app: client egress: - to: - podSelector: matchLabels: app: database61.7 Pod Security
Section titled “61.7 Pod Security”Pod Security Standards
Section titled “Pod Security Standards”securityContext: runAsNonRoot: true runAsUser: 1000 fsGroup: 2000 seccompProfile: type: RuntimeDefault
# CapabilitiessecurityContext: capabilities: drop: - ALL add: - NET_BIND_SERVICECommon Mistakes & Anti-Patterns
Section titled “Common Mistakes & Anti-Patterns”1. Running as Root
Section titled “1. Running as Root”WRONG:
FROM ubuntu# Runs as root by defaultCMD ["/bin/sh"]CORRECT:
FROM ubuntuRUN useradd -m appuserUSER appuserCMD ["/bin/sh"]Why: Root in container = root on host if container escapes.
2. Not Scanning Images
Section titled “2. Not Scanning Images”WRONG:
# Pull and run any imagedocker pull random-user/myappdocker run random-user/myappCORRECT:
# Scan before runningdocker scan myapp:latesttrivy image myapp:latest
# Use only signed imagesdocker trust key generate myappdocker pull myapp:latestWhy: Unscanned images may have critical vulnerabilities.
3. Storing Secrets in Images
Section titled “3. Storing Secrets in Images”WRONG:
FROM node:18COPY . .ENV API_KEY=secret123 # Bad!RUN echo password > /app/secret # Bad!CORRECT:
FROM node:18COPY . .# Use runtime secrets, not build-time# Docker Swarm: --secret# Kubernetes: Secrets volume# Or env vars from outsideWhy: Secrets in images persist in layers, accessible to anyone who pulls image.
4. Using Privileged Containers
Section titled “4. Using Privileged Containers”WRONG:
# Full host accessdocker run --privileged myapp# ORdocker run --cap-add ALL myappCORRECT:
# Minimal capabilitiesdocker run \ --cap-drop ALL \ --cap-add NET_BIND_SERVICE \ --read-only \ myappWhy: Privileged containers can access all host devices - huge attack surface.
5. No Network Segmentation
Section titled “5. No Network Segmentation”WRONG:
# All pods can talk to all podskind: Podspec: containers: - name: app image: myappCORRECT:
apiVersion: networking.k8s.io/v1kind: NetworkPolicymetadata: name: deny-allspec: podSelector: {} policyTypes: - Ingress - EgressWhy: Default-allow network is risky; implement zero-trust networking.
Summary
Section titled “Summary”In this chapter, you learned:
- ✅ Container security principles
- ✅ Image security best practices
- ✅ Runtime security hardening
- ✅ Secrets management
- ✅ Image scanning
- ✅ Network policies
- ✅ Pod security standards
Part 12 Summary
Section titled “Part 12 Summary”In this part, you learned:
- ✅ KVM/QEMU virtualization
- ✅ Docker fundamentals
- ✅ Docker advanced networking/storage
- ✅ Kubernetes basics
- ✅ Container security
Next Chapter
Section titled “Next Chapter”Chapter 61: HA Concepts and Design
Last Updated: February 2026