How to protect your containerized environment from attacks

Introduction

The Docker container itself is a small OS that may susceptible to attack by malicious code. This shot incorporates the following topics:

• Widespread attacks on Docker containers and Kubernetes clusters
• How to secure your app in the container
• Security tools, rules and policies
• How to apply common security principles to prevent attacks

I recommend the use of Docker and Kubernetes as they are two of the current leaders in container engines and orchestration.

What attacks are Docker containers and Kubernetes clusters susceptible to?

Two of the most widespread attacks on Docker containers and Kubernetes clusters are described below.

1. Man-in-the-Middle attack

The MITM attack is widespread in Kubernetes and Docker. This attack includes malicious parts between the component that sends data and the component that receives this data. The attack can take the form of a fake container, service, middleware, or even a person. For example:

• CVE-2020–8554: A vulnerability that allows attackers to obtain access to the cluster by creating ClisterIPs service.
• Siloscape: Malware inside windows containers. The Siloscape creates a backdoor to the whole Kubernetes cluster, including sensitive data and CPU, GPU, and resources.

2. Cryptojacking attack

A cryptojacking attack allows an attacker to run malicious code to use the CPU, GPU, and memory of the PC for mining cryptocurrencies. For example:

• CVE-2018–15664: Gives access to the docker system with root permission.

How to secure Docker containers

1. Use the principle of least privilege

The principle of least privilege means that you should not use admin users to execute containers. This will help if you create users with admin access and only operate with this particular container. You can also make groups and add users there.

Read more about how to isolate containers with a user namespace.

Below is an example of how to create the user and group.

You should use official verified and signed images. To find and check images, you can use Docker trust inspect.

For example, docker trust inspect — pretty google/apigee-mart-server:1.3.6.

Docker Content Trust (DCT) can help with digital signatures. It allows for the verification of images and publishers during runtime. This process is based on Docker Content Trust Keys, which generates several keys during the first interaction with DCT.

2. Set up resource limits

You should set up Memory and CPU limits for your Docker container because it does not have this option by default. This principle is a way to prevent DoS attacks. For example, you can set up a memory limit to prevent your container from consuming all memory. The same applies to CPU limits.

There is also an option to set up resource limits on a Kubernetes level. We will cover this below.

3. Secure and understand Docker networking

This principle is essential to understanding Docker’s networking principles. It will help if we understand what Docker Network Drivers are. These include:

• bridge
• host
• overlay

By default, one container network stack does not have access to another container. However, if you configure bridge or host to accept traffic from any other containers or external networks, you can create a potential security backdoor for an attack. You can also just use set flag (— icc=false) within the Docker daemon to disable inter-container communication.

4. Add container security monitoring architecture

Security monitoring is essential for the detection of malicious code and attacks on your containers.

With a proper monitoring tool, you should be able to detect issues.

The tool will allow you to:

1. Build a real-time dashboard.
2. Set up alerts to send you messages via email, SMS, or even your preferable chat platform.

To find the vulnerability in Docker containers, you can use:

• docker scan command
• CAdvisor(https://github.com/google/cadvisor) is another powerful tool to monitor your container. It can also be run in the Kubernetes cluster.

Docker scan or CAdvisor are simple solutions that apply to only one particular container. For more complex scenariose.g., when you run 50+ containers in the Kubernetes, you will need complex monitoring tools such as:

• Prometheus and Grafana.
  • Prometheus is a logging component that “scrapes” information from your container and puts it into a data source. The data sources can be SQL or NoSQL data storage. Prometheus also has an Alert Manager component that allows users to create rule-based alerts.
  • Grafana is a framework that helps to build complex UI dashboards. The dashboards can be easily configured to get data from Prometheus.

• Datadog is a comprehensive, all-in-one monitoring tool containing logging component subsystems and sidecars. It includes a complex and interactive UI framework.

• Azure Log Analytics is a complex tool that monitors your container’s Azure Kubernetes Services (especially Azure Container Registry). It is a handy option if you have your container solution under Azure Cloud Services as it supports it out of the box.

These are some of the most popular solutions. However, there are many others in the market worth mentioning, like Sysdighttps://sysdig.com/partners/docker/, Sematexthttps://sematext.com/container-monitoring/, and Dynatracehttps://hub.docker.com/u/dynatrace. However, I prefer to use the combination of Prometheushttps://prometheus.io + CAdvisorhttps://github.com/google/cadvisor + Grafanahttps://grafana.com/.

• Prometheus is a powerful, open-source option for monitoring CPU, GPU, Memory, Images, and other metrics.
• CAdvisor is quite good at detecting vulnerabilities.
• Grafana is good at building and configuring dashboards, alerts, and imports all together.

I also use the security tool Kube-bench that only covers vulnerability scanning. The Kubebench brings an additional layer to your cluster security monitoring. There are plenty of security tools available for Kubernetes.

5. Avoid sensitive data in Docker Images

It is important to remove all sensitive data from the container. You can use different options to manage your secrets and other sensitive data (discussed below).

• Docker secrets allow you to store your secrets outside of the image.
• If you run the Docker container in Kubernetes, you can use Secrets to store your passwords, certificates, or any other sensitive data.
• Use cloud-specific storage for sensitive data (for example, Azure Key Vault or AWS Secret Manager).

6. Involve vulnerability scanning tools

Vulnerability scanning tools help detect images that may have security holes. You can also integrate properly selected tools into the CI/CD process. The following are some scanning tools.

• Dagda uses a static analysis approach to find viruses, malware, and fake sub-images and trojans. It is based on Red Hat Security Advisories (RHSA) libraries of existing vulnerabilities databases.
• Trivy can detect complex vulnerabilities with high accuracy for OS like Alpine Linux and RHEL/CentOS, Debian, Ubuntu, and others. It is powerful, open-source, and free. You can run Trivi in standalone or client/server modes; so, you can add it to your CI/CD process.
• Clair is used for static analysis of images. It supports images that are based on the Open Container Initiative (OCI). You can build your services to scan images based on Clair API. Clair uses CVE databases to detect for vulnerabilities.

7. Use secured Docker registries

To protect your images, you can create an additional security layer and use images from protected registries, such as:

• Harbor, an open-source registry with integrated vulnerability scanning is based on security policies that apply to Docker artifacts.
• Quay, is an image registry, powered by RedHat, that scans your images for vulnerability. Quay also offers a standalone image repository that you can install and use internally in your organization. Below, you can see how it scans for vulnerabilities.

What if you are already using other registries, like Azure Container Registry or Docker Hub? You can find how to do this in the Containers Tend Report article.

How to secure Kubernetes

The main Kubernetes security rules are listed below.

Networking and network policies

Networking and network policies help us to understand how the Kubernetes networking model works. This will help to set up proper network communication between pods and pretend to create open ports or direct access to the nodes. The Network Policy also helps you to organize this communication.

Secure Ingress and Egress traffic to your pod

Here, you can also use Network Policies. You can use a strategy to deny all Egress and Ingress traffic and then start to open. You can also use a service mesh like Istio. This adds additional service layers, automates traffic, and helps with monitoring. However, it is important that you are careful to use the service mesh to add additional complexity.

Transport Layer Security

You should enable TLS if it is not opened. TLS should be used for communication between Kubernetes cluster services.

Use RBAC

Use RBAC and follow the principle of least privilege.

Restrict access to Kubelet

You should enable authentication and authorization to use this tool as only admins should have access to Kubelet.

Restrict access to Kubernetes dashboard

Finally, you should also restrict access to the Kubernetes Dashboard.

These security principles that are mentioned in the Docker container section of this shot.

Detect Kubernetes configuration and security issues

Use the following tools to find security and misconfiguration in Kubernetes.

• Kube-bench This is one of the most powerful tools in the section. Its security check is based on CIS Kubernetes Benchmark.
• Kubeaudit
• Kubesect.io

Conclusion

Security is a critical and complex topic, especially in the Docker and Kubernetes world. This article contains important recommendations to take into account.

Find more information about Containers Trends in the Containers Trend Report.