Docker containers provide a more secure environment for your workloads than traditional server and virtual machine (VM) models. They offer a way to break up your applications into much smaller, loosely coupled components, each isolated from one another and with a significantly reduced attack surface.
This can restrict the number of opportunities for hackers to exploit your computer systems and make it more difficult for a breach to spread in the event of an attack.
But, regardless of Docker’s enhanced level of protection. You still need to understand the security pitfalls of the technology and maintain best practices to safeguard your containerized systems.
Much of this will be similar to what you already do for VM-based workloads. Such as monitoring container activity, limiting resource consumption of each container environment, maintaining good application design practices, patching vulnerabilities, and making sure credentials don’t make their way into your Docker images.
How to Secure Docker Containers
But you’ll also need to take security measures that are very specific to Docker deployments. So the following is a list of essential steps to securing applications hosted on the container platform.
1: Set Resource Quotas
One handy thing that Docker makes easy is to configure resource quotas on a per-container basis. Resource quotas allow you to limit the amount of memory and CPU resources that a container can consume.
This feature is useful for several reasons. It can help to keep your Docker environment efficient and prevent one container or application from hogging system resources. But it also enhances security by preventing a compromised container from consuming a large number of resources in order to disrupt service or perform malicious activities.
Resource quotas are easy to set using command-line flags. For full details, see the Docker documentation.
2: Don’t Run as Root
We’ve all been there: You are tired, and you don’t want to fight with permission settings in order to get an application to work properly. So you just run it as root so that you don’t have to worry about permission restrictions.
That might be OK to do in a Docker testing environment if you’re learning how to use Docker for the first time. But in production, there is almost never a good reason to let a Docker container run with root permissions.
This is an easy Docker security best practice to follow because Docker doesn’t run containers as root by default. So, typically, there is nothing you have to change in a default configuration to prevent running as root. However, you do have to resist the temptation to let a container run as root simply because it’s more convenient in some situations.
For added Docker security, if you use Kubernetes to orchestrate your containers. You can explicitly prevent containers from starting as root (even if an admin attempts to start one manually) using the MustRunAsNonRoot directive in a pod security policy.
3: Secure Your Container Registries
Container registries are part of the reason Docker is so powerful. They make it easy to set up a central repository from which you can download container images with a few keystrokes.
However, the ease and convenience of Docker container registries can become a security risk if you fail to evaluate the security context of the registry you’re using. Ideally, you’ll use a registry such as Docker Trusted Registry that can be installed behind your own firewall in order to mitigate the risk of breaches from the Internet.
And even if the registry is accessible only from behind the firewall. You should also resist the temptation to let anyone upload or download images from your registry at will. Instead, use role-based access control to define explicitly who can access what, and blacklist access from everyone else. Although it can be tempting to leave your registry accessible by anyone to simplify access and avoid having to configure new roles when someone new needs access. This inconvenience is worth it if it prevents a breach in your registry.
4: Use Trusted, Secure Images
Speaking of registries, you should also be sure that the container images you pull come from a trusted source. This may seem overly obvious, but given that there are so many publicly available container images that can be downloaded quickly. It can be easy to pull an image accidentally from a source that is not verified or trusted.
For this reason, you should consider blacklisting public container registries other than official trusted repositories, such as those on Docker Hub.
You can also take advantage of image scanning tools to help identify some known vulnerabilities within Docker images. Most enterprise-level container registries have built-in scanning tools. Some of them, like Clair, can be used separately from a registry to scan individual images, too.
5: Identify the Source of Your Code
Keep in mind that Docker images typically contain a mixture of original code and packages from upstream sources. So, even if the specific image you download comes from a trusted registry. The image could incorporate packages from other sources that may be less trustworthy. To make matters even more complicated, those packages could themselves be composed of code drawn from multiple sources. Including third-party open-source repositories. Although the origins of the code may not always be clear from looking at the package itself.
In this context, source code analysis tools are useful. By downloading the sources of all packages in your Docker images and scanning them to identify where the code originated. You can determine whether any of the code incorporated into your container images contains known security vulnerabilities. As an added benefit, source code analysis also helps you remain compliant with licensing requirements involving third-party code, which could affect you even if the packages you use don’t mention other licenses.
A tool like Offensive360 continuously detects vulnerabilities and manages licenses from early development all the way to production. It provides automated policy enforcement and real-time alerts and enables continuous integration. Keeps your open-source components secure and compliant throughout the development lifecycle from inside your containerized environments.
6: API and Network Security
As noted above, Docker containers typically rely heavily on APIs and networks to communicate with each other. That’s why it’s essential to make sure that your APIs and network architectures are designed securely. You monitor the APIs and network activity for anomalies that could indicate an intrusion.
Since APIs and networks are not a part of Docker itself but are instead resources that you use in conjunction with Docker, steps for securing APIs and networks are beyond the scope of this article. However, the core message here is that API and network security are particularly important when you use Docker, so they shouldn’t be neglected.
Conclusion
Docker is a complicated beast, and there is no simple trick you can use to secure Docker container security. Instead, you have to think holistically about ways to secure your Docker containers and harden your container environment at multiple levels. Doing so is the only way to ensure that you can reap all the benefits of Docker containers without leaving yourself at risk of major security problems.