Skip to main content

Container Hardening

The 5-level hardening by KubeOps gives you more security for your container images and installation packages

Contact

Hardened container images for more security of your K8s infrastructure

What is container hardening?

Hardening in computer technology is an essential process in order to maximise the security of a system. When developing and operating software, the highest security measures are applied and the software used is reduced to the essentials. Without adequate security measures, vulnerabilities can be exploited, leading to data loss, downtime or security breaches.kind cluster ingress

Why is container hardening important?

In today's digital landscape, cyberattacks are ubiquitous. Containers and installation packages that are not hardened can be an easy target for attackers. Container hardening protects your applications and data by implementing best practices and security measures that minimise potential attack vectors.

5 levels to optimise the security of your container infrastructure

KubeOps comprehensively hardens all components that are required for the productive operation of Kubernetes. Our goal is ‘security by default’. That's why we audit and harden all our components - from code dependencies to Helm charts - until they meet the security requirements of BSI-audited environments and beyond.

Level 1: INTEGRATED - Self-sufficient package
  • Prerequisite for staging
  • Complete helmet package
    • All artefacts included
    • No external dependencies
    • Helmet packages are configurable
    • Versioning
  • Protected package consistency

At this first level, we analyse the software to be used and transfer it and the required dependencies to our internal environment. The software is bundled into a KOSI package, which allows the software to be installed without internet access and reproducibly in our own environment. The package therefore fulfils the following characteristics: no external dependencies, fully configurable and clear versioning. This forms the basis for the staging process and all subsequent stages.

Level 2: REVISED - Baseline level
  • Parameters set to the highest security level
  • Required operating parameters integrated
  • Improved documentation

The second level includes a comprehensive review and customisation of the software package with regard to the container used. We analyse the container images and set the configurations for operation to a high security level and reduce them to the essentials. The configuration and packages are also documented in detail.

Level 3: SECURED - security-cleaned
  • Revision according to safety guidelines
  • Supply chain secured
  • No critical vulnerabilities
  • No detectable malware

In this stage, we focus on securing the container images and packages of a software. We harden container images and packages by removing insecure and unnecessary components and implementing secure configuration guidelines for operation. Depending on the vulnerability, it may be necessary to rebuild the source software, container and Helm package. Continuous security scans are carried out so that new vulnerabilities can be responded to accordingly.

Level 4: OPERATIONS-READY - Prepared for operations
  • Ready-to-use configuration
  • Scalability guaranteed
  • Applied best practices
  • Licence management

At this level, we implement the operational readiness for a corresponding package. This means that resources such as an ingress or proxy configuration are implemented in the package and configured accordingly for the target environment. These configurations determine how the application is reached or via which proxy communication must take place in order to be able to request resources from the Internet, for example. Further operating properties are: Labelling, monitoring, tracing and storage. Container best practices (health checks) and scalability of the application are also integrated at this level.

Level 5: HARDENED - Reduced to the maximum
  • Aiming for Distroless-Containe
  • If not possible, hardening of the image stack
  • Use of ‘lightweight’ base image

The final level of our concept is continuous hardening. Security is an ongoing process and we ensure that the container environments are regularly checked and updated. The container images themselves are reduced to the application to be executed.

Best practices for hardening your container images in the Kubernetes

Minimisation of the target area

Use minimalist container images that only contain the necessary components.

Image-Provenance

Do not blindly trust public container images and Helm charts. Make sure that only what is necessary is included.

Secure configuration

Implement secure configuration policies for your containers and orchestration systems

Insulation

Use namespaces and other isolation mechanisms to separate containers from each other.

Monitoring

Implement continuous monitoring and audit systems to detect and respond to unusual activity.

Regular updates

Ensure that all container images are updated regularly to close security gaps.

Do you have any questions about our services?

Gabriella Balogh &
Jörg Ihling-Höfer

Contact persons

  • This email address is being protected from spambots. You need JavaScript enabled to view it.

A Fotogrph of our Academy Support Ralf Menti

Optimum protection for your Kubernetes cluster with KubeOps

Protect your containers and environments with our products and the integrated hardening. Contact us today to find out more about our products and services.

Request Demo

The KubeOps Security Library

Find out more about various security risks and the appropriate measures in our Security Library. Here you will find many informative articles on the topic of security in Kubernetes.

Security Library