Skip to main content

Risks

Container and Image Security Guidelines

Top security risks

In Kubernetes, containers are launched from images, and thus many security considerations overlap between container and image security policies. This guide outlines best practices for both container and image security to ensure a robust and secure environment.

Container Immutability

Once an image is started and becomes a container, it should remain immutable. This means that nothing should be inserted, modified, or deleted within the container after it has started. This principle helps maintain consistency and security.

Terminology

  • Container Images: Standalone, executable software packages that include everything needed to run a service—code, runtime, system tools, system libraries, and settings.
  • Parent Images: The base images specified in a Dockerfile using the FROM command. For example, FROM ubuntu specifies an Ubuntu OS as the parent image.
  • Base Images: Special container images that have no parent images, typically starting with FROM scratch in their Dockerfiles.

Container Image Guidelines

1. User Management

  • Non-Root User: It is recommended not to run containers as root. Create a user within the Dockerfile and switch to this user.

    RUN useradd -d /home/appuser -m -s /bin/bash appuser USER appuser

  • User Context Enforcement: Ensure the container does not run as a user that exists on the host machine.

2. Use of Trusted Images

  • Official Repositories: Use container images from trusted sources and verify them using checksums.
  • Image Scanners: Utilize image scanners to check for vulnerabilities in images obtained from less trusted sources.

3. Housekeeping of Images

  • Vulnerability Scanning: Regularly scan images for vulnerabilities and rebuild them with the --no-cache flag to prevent using cached images.

    docker build --no-cache -t myimage:latest

  • Avoid Package Manager Commands: Do not run package manager commands like apt-get update in Dockerfiles. Instead, use updated base images.

    RUN apt-get install --no-install-recommends -y <package>

4. COPY vs. ADD

  • COPY Command: Prefer COPY over ADD in Dockerfiles to avoid potential security risks associated with ADD.

    COPY ./localfile /containerfile

  • Check for ADD Usage: Identify the use of ADD in images.

    docker history <ImageID> --no-trunc | grep ADD

5. Package Managers

  • Remove Package Managers: Remove package managers from the container image after use to prevent installations within running containers.

    RUN apt-get install -y <package> && apt-get purge -y <package-manager>

6. Versioning

  • Specify Versions: Always specify the versions of parent images and dependencies to ensure reproducibility and security.

    FROM ubuntu:20.04

7. Privileged Containers

  • Avoid Privileged Containers: Do not use the --privileged flag as it grants the container extensive permissions on the host.

     
    docker/crictl run --privileged <image> # Avoid this

8. Embedding Sensitive Data

  • Avoid Host Directory Mounting: Do not mount sensitive host directories into containers. Use Kubernetes ConfigMaps and Secrets for configuration files and sensitive data.

    apiVersion: v1
kind: ConfigMap
metadata:
  name: my-config
data:
  config.yaml: |
    key: value
     

9. One Application per Container

  • Microservices Principle: Each container should run a single application or process to follow the microservices architecture.

10. Read-Only File System

  • Read-Only Containers: Configure containers to run with a read-only file system and only grant write permissions to necessary directories.

    RUN chmod 0444 /* RUN chmod 0755 /writable-dir

11. Persistence and Management of Data

  • External Storage: Store user data, configuration files, and other persistent data outside the container using persistent volumes.

    apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: my-pvc
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
     

Example Secure Dockerfile

FROM ubuntu:20.04

# Create a user and switch to it
RUN useradd -d /home/appuser -m -s /bin/bash appuser
USER appuser

# Install necessary packages without recommendations
RUN apt-get update && apt-get install --no-install-recommends -y \
    curl \
    && rm -rf /var/lib/apt/lists/*

# Copy application files
COPY ./app /home/appuser/app

# Set the file system to read-only and allow write access to specific directories
RUN chmod 0444 /* && chmod 0755 /home/appuser/app

CMD ["./home/appuser/app/start.sh"]

Conclusion

Implementing these container and image security guidelines ensures that your Kubernetes environment remains secure and compliant with best practices. By following these guidelines, you can mitigate risks associated with running containers and maintain a robust security posture in your Kubernetes clusters. Regularly review and update these practices to adapt to evolving security threats and advancements in container technologies.

follow these measures