Container Security

Build Security

# GOOD: Security-conscious Dockerfile

# Pin to digest
FROM node:20-alpine@sha256:abc123... AS builder

# Don't run as root
RUN addgroup -g 1001 -S app && adduser -u 1001 -S app -G app

# Copy only what's needed (after .dockerignore)
COPY package*.json ./
RUN npm ci --only=production

COPY --chown=app:app . .

# Use non-root user
USER app

# Don't expose unnecessary ports
EXPOSE 3000

# Use exec form (not shell form) for proper signal handling
CMD ["node", "server.js"]

Dockerfile Rules

Secret Handling in Builds

1. NEVER put secrets in ENV, ARG, or COPY — they persist in image layers
2. Use Docker BuildKit secrets: RUN --mount=type=secret,id=mysecret ...
3. For CI/CD: inject secrets at runtime via environment variables or volume mounts
4. Scan built images for accidentally included secrets (tools: trufflehog, gitleaks)

Runtime Security

Container Runtime Configuration

1. Read-only root filesystem: --read-only — prevents runtime modification of the container
   • Mount writable volumes only for specific directories that need writes (/tmp, /var/log)
2. Drop all capabilities, add back only what's needed:

   securityContext:
     capabilities:
       drop: ["ALL"]
       add: ["NET_BIND_SERVICE"]  # Only if needed
   

3. No privilege escalation: allowPrivilegeEscalation: false
4. Non-root enforcement: runAsNonRoot: true + runAsUser: 1001
5. Seccomp profile: use RuntimeDefault at minimum

   securityContext:
     seccompProfile:
       type: RuntimeDefault
   

What NEVER to Allow

Image Scanning and Supply Chain

CI Pipeline Security

1. Scan images in CI BEFORE push — don't let vulnerable images reach the registry
2. Tools (pick one): Trivy (free, fast), Snyk Container, Grype
3. Set severity threshold: block on Critical + High, warn on Medium
4. Scan both the base image AND application dependencies
5. Re-scan existing images weekly — new CVEs are discovered constantly

Supply Chain Security

1. Use a private registry — never pull directly from Docker Hub in production
2. Enable content trust / image signing (Cosign, Docker Content Trust, Notation)
3. Implement admission control to block unsigned or unscanned images:

   # Kyverno policy example
   apiVersion: kyverno.io/v1
   kind: ClusterPolicy
   metadata:
     name: require-image-digest
   spec:
     rules:
       - name: check-digest
         match:
           resources:
             kinds: ["Pod"]
         validate:
           message: "Images must use digests, not tags"
           pattern:
             spec:
               containers:
                 - image: "*@sha256:*"
   

4. SBOM generation (Software Bill of Materials): generate for every production image
5. Keep base images updated — automate with tools like Renovate or Dependabot

Network Security for Containers

Container Network Rules

1. Default deny all ingress AND egress — then explicitly allow
2. Containers should ONLY communicate with services they depend on
3. Use TLS for all inter-service communication — even inside the cluster
4. DNS resolution: use internal DNS, not hardcoded IPs
5. Rate limiting on exposed endpoints — containers can be overwhelmed just like VMs

Egress Control

1. Restrict outbound traffic to known destinations — prevents data exfiltration
2. Block all egress by default, allow specific CIDR ranges + DNS
3. Log egress connections — unusual outbound traffic = potential compromise indicator

Incident Response Checklist

If a container is suspected compromised:

1. Don't delete it — preserve for forensics
2. Isolate: apply NetworkPolicy to block all traffic to/from the pod
3. Capture state: kubectl logs, kubectl describe pod, container filesystem
4. Check: was the image modified? Compare digest to known-good
5. Review: what ServiceAccount was attached? What could it access?
6. Rotate: any secrets the container had access to are now potentially compromised
7. Rebuild: deploy from a known-good image, don't "fix" the compromised container