Container Runtime Security Engineering

Archivo del skill

Container Runtime Security Engineering

Principal container and runtime security engineering. Use for image hardening, runtime isolation, and secure service execution.

HeadTDev0 estrellas15 abr 2026

Categorías: Química Computacional

Contenido de la habilidad

Harden containerized services so compromise requires multiple failures, not one misconfiguration.

Decision Criteria

Base image, package footprint, and runtime privileges must be justified per service.
Security controls must preserve required runtime behavior without relying on undocumented exceptions.
Any new exposed port or mount point requires threat review and least-privilege analysis.
Service startup dependencies must not require broad host access.

Principal Practices

Use minimal images, pinned versions, and regular vulnerability scanning.
Run workloads as non-root; apply read-only filesystem and dropped Linux capabilities where compatible.
Restrict inter-service network access to required traffic only (data-net/app-net intent).
Isolate secrets from logs and environment dumps.

Failure Modes & Anti-Patterns

Broad Docker socket exposure in production-equivalent environments.