Measures

Non-Root Containers

Action: Always configure containers to run as a non-root user to limit access to sensitive host resources. Ensure the user inside the container does not correspond to a host user.

Benefit: Minimizing privileges in containers prevents attackers from accessing sensitive host resources even if the container is compromised.

Example in Dockerfile:

RUN useradd -d /home/appuser -m -s /bin/bash appuser

USER appuser

Use of Trusted and Verified Images

Action: Always use container images from trusted repositories, preferably official images. Regularly scan images for vulnerabilities using tools like Trivy, Clair etc.

Benefit: Using verified images reduces the risk of introducing vulnerabilities or malicious code into the cluster.

Immutability of Containers

Action: Ensure that containers remain immutable by disabling write access to critical directories and configuring containers to run with a read-only file system. Allow write access only to necessary directories.

Benefit: Maintaining container immutability reduces the risk of tampering or unauthorized changes, ensuring that containers run as expected.

Dockerfile Command:

RUN chmod 0444 /* && chmod 0755 /writable-dir

Microservices Architecture

Action: Adhere to the microservices principle by running one application or process per container. Avoid using containers that host multiple processes or services.

Benefit: Isolating services into individual containers ensures easier monitoring and reduces the attack surface.

Read-Only File System for Containers

Action: Configure containers to operate with a read-only file system, only enabling write access to specific directories where necessary.

Benefit: Prevents unauthorized changes to the file system and limits the ability of attackers to install or modify files within the container.

Example Kubernetes Pod Definition with Read-Only Filesystem:

apiVersion: v1

kind: Pod

metadata:

  name: secure-pod

spec:

  containers:

  - name: myapp

    image: myapp:latest

    securityContext:

      readOnlyRootFilesystem: true

Avoiding Privileged Containers

Action: Do not use the --privileged flag when running containers. If additional capabilities are needed, selectively grant specific capabilities instead of granting full privileges.

Benefit: Avoiding privileged containers limits the potential damage in the event of a security breach, reducing the attacker's ability to compromise the host.

Avoid Mounting Sensitive Host Directories

Action: Do not mount sensitive host directories (e.g., /etc, /root, or /var/run/containerd.sock) into containers. Use Kubernetes ConfigMaps and Secrets for managing configuration and sensitive data.

Benefit: Prevents unauthorized access to sensitive host files and directories, reducing the risk of data exposure or system compromise.

Example Kubernetes ConfigMap for Sensitive Data:

apiVersion: v1

kind: ConfigMap

metadata:

  name: app-config

data:

  config.yaml: |

    key: value

Version Control of Images

Action: Always specify the version or tag of base images and dependencies in Dockerfiles. Avoid using the latest tag to ensure reproducibility and security.

Benefit: Ensures that the exact version of the image is used, preventing unexpected changes or vulnerabilities from being introduced during builds.

Example in Dockerfile:

Dockerfile

FROM ubuntu:20.04

Package Management and Removal

Action: Install only necessary packages during image creation and remove package managers after use to prevent installations within running containers.

Benefit: Reduces the attack surface and prevents unauthorized software installation within containers.

Example in Dockerfile:

RUN apt-get install -y <package> && apt-get purge -y apt-get

Persistent Volume Usage

Action: Use Kubernetes Persistent Volumes (PVs) for storing persistent data, ensuring that user data, configuration files, and logs are stored outside of the container.

Benefit: Keeps container images lightweight and stateless, improving scalability and resilience.

Example Kubernetes PVC Definition:

apiVersion: v1

kind: PersistentVolumeClaim

metadata:

  name: app-pvc

spec:

  accessModes:

    - ReadWriteOnce

  resources:

    requests:

      storage: 1Gi

Adhering to container and image security best practices ensures that your Kubernetes environment remains secure and efficient. By implementing non-root containers, using trusted images, maintaining immutability, and configuring containers securely, you mitigate the risks of unauthorized access, privilege escalation, and system compromise. Regularly update and scan images to adapt to evolving security threats, and use Kubernetes-native mechanisms like ConfigMaps, Secrets, and PersistentVolumes to enhance security further