The Docker container itself is a small OS that may susceptible to attack by malicious code. This shot incorporates the following topics:
I recommend the use of Docker and Kubernetes as they are two of the current leaders in container engines and orchestration.
Two of the most widespread attacks on Docker containers and Kubernetes clusters are described below.
The MITM attack is widespread in Kubernetes and Docker. This attack includes malicious parts between the component that sends data and the component that receives this data. The attack can take the form of a fake container, service, middleware, or even a person. For example:
A cryptojacking attack allows an attacker to run malicious code to use the CPU, GPU, and memory of the PC for mining cryptocurrencies. For example:
The principle of least privilege means that you should not use admin users to execute containers. This will help if you create users with admin access and only operate with this particular container. You can also make groups and add users there.
Read more about how to isolate containers with a user namespace.
Below is an example of how to create the user and group.
You should use official verified and signed images. To find and check images, you can use Docker trust inspect.
For example, docker trust inspect — pretty google/apigee-mart-server:1.3.6.
Docker Content Trust (DCT) can help with digital signatures. It allows for the verification of images and publishers during runtime. This process is based on Docker Content Trust Keys, which generates several keys during the first interaction with DCT.
You should set up Memory and CPU limits for your Docker container because it does not have this option by default. This principle is a way to prevent DoS attacks. For example, you can set up a memory limit to prevent your container from consuming all memory. The same applies to CPU limits.
There is also an option to set up resource limits on a Kubernetes level. We will cover this below.
This principle is essential to understanding Docker’s networking principles. It will help if we understand what Docker Network Drivers are. These include:
By default, one container network stack does not have access to another container. However, if you configure bridge or host to accept traffic from any other containers or external networks, you can create a potential security backdoor for an attack. You can also just use set flag (— icc=false
) within the Docker daemon to disable inter-container communication.
Security monitoring is essential for the detection of malicious code and attacks on your containers.
With a proper monitoring tool, you should be able to detect issues.
The tool will allow you to:
To find the vulnerability in Docker containers, you can use:
docker scan command
Docker scan or CAdvisor are simple solutions that apply to only one particular container. For more
These are some of the most popular solutions. However, there are many others in the market worth mentioning, like
, Sysdig https://sysdig.com/partners/docker/ , and Sematext https://sematext.com/container-monitoring/ . However, I prefer to use the combination of Dynatrace https://hub.docker.com/u/dynatrace + Prometheus https://prometheus.io + CAdvisor https://github.com/google/cadvisor . Grafana https://grafana.com/
I also use the security tool Kube-bench that only covers vulnerability scanning. The Kubebench brings an additional layer to your cluster security monitoring. There are plenty of security tools available for Kubernetes.
It is important to remove all sensitive data from the container. You can use different options to manage your secrets and other sensitive data (discussed below).
Vulnerability scanning tools help detect images that may have security holes. You can also integrate properly selected tools into the CI/CD process. The following are some scanning tools.
To protect your images, you can create an additional security layer and use images from protected registries, such as:
What if you are already using other registries, like Azure Container Registry or Docker Hub? You can find how to do this in the Containers Tend Report article.
The main Kubernetes security rules are listed below.
Networking and network policies help us to understand how the Kubernetes networking model works. This will help to set up proper network communication between pods and pretend to create open ports or direct access to the nodes. The Network Policy also helps you to organize this communication.
Here, you can also use Network Policies. You can use a strategy to deny all Egress and Ingress traffic and then start to open. You can also use a service mesh like Istio. This adds additional service layers, automates traffic, and helps with monitoring. However, it is important that you are careful to use the service mesh to add additional complexity.
You should enable TLS if it is not opened. TLS should be used for communication between Kubernetes cluster services.
Use RBAC and follow the principle of least privilege.
You should enable authentication and authorization to use this tool as only admins should have access to Kubelet.
Finally, you should also restrict access to the Kubernetes Dashboard.
These security principles that are mentioned in the Docker container section of this shot.
Use the following tools to find security and misconfiguration in Kubernetes.
Security is a critical and complex topic, especially in the Docker and Kubernetes world. This article contains important recommendations to take into account.
Find more information about Containers Trends in the Containers Trend Report.
Free Resources