tigera-logoWhite

Guides: Container Security

Container Security in 2025: 8 Key Components & 8 Best Practices

What Is Container Security?

Container security refers to the set of practices, tools, and policies designed to protect containerized applications throughout their lifecycle—from development and deployment to runtime. Unlike traditional workloads, containers share the host operating system kernel and are often deployed at high scale, making them more susceptible to attacks if not properly secured.

Effective container security focuses on minimizing vulnerabilities in container images, securing registries and orchestration platforms, enforcing strict access controls, and monitoring runtime environments for anomalies. It requires a layered approach that integrates security into every stage of the CI/CD pipeline to reduce risks and ensure compliance in distributed systems.

This is part of an extensive series of guides about Kubernetes.

In this article:

Why Is Container Security Important?

The growing adoption of containerized applications across industries has made security a critical priority. Containers offer agility and scalability, but they also introduce new attack surfaces that require protection. This is evident in the rapid growth of the container security market, which is projected to explode from $3.07 billion in 2025 to $25.51 billion by 2034, at a compound annual growth rate (CAGR) of 26.51%.

This surge is driven by the widespread use of containers in cloud-native environments, microservices architectures, and hybrid cloud deployments. As organizations move to containerized infrastructures, they face complex security challenges, such as ensuring compliance with regulations like GDPR and HIPAA, protecting workloads from evolving cyber threats, and managing vulnerabilities introduced by third-party images or misconfigurations.

North America currently leads the market due to its advanced technological landscape and high investment in cybersecurity. However, Asia Pacific is emerging as the fastest-growing region, fueled by rapid digitization, increasing IT infrastructure, and the rise of startups requiring secure and scalable solutions.

Advanced technologies such as artificial intelligence and machine learning are also transforming container security. These innovations enable automated threat detection, real-time monitoring, and adaptive defenses, helping organizations stay ahead of increasingly sophisticated attacks.

8 Key Elements of the Container Attack Surface

1. Container Images

Container images are the foundational elements used to create container instances. They encompass everything needed to run an application, including the code, runtime, libraries, and environment variables. Securing container images is crucial because vulnerabilities or misconfigurations within an image can be replicated across all containers instantiated from it, leading to widespread issues.

Dangers:

  • Propagation of vulnerabilities: If an image contains a vulnerability, every container derived from that image inherits the same vulnerability, multiplying the potential attack surface.
  • Malicious images: Attackers can inject malicious code into container images, which, when deployed, can compromise the entire environment.
  • Configuration drift: Inconsistent or insecure configurations within images can lead to non-standard deployments, making it difficult to maintain security.

2. Registries

Registries serve as repositories where container images are stored and managed. They can be either public or private. Securing registries is essential to prevent unauthorized access and ensure that only trusted images are used, reducing the risk of deploying compromised or malicious images into production environments.

Dangers:

  • Unauthorized access: Unsecured registries can be accessed by unauthorized users, who might tamper with or delete images.
  • Image poisoning: Attackers can upload malicious images to public registries, which unsuspecting users might download and deploy.
  • Data breaches: Private registries can store sensitive configuration data within images. A breach could expose this information to attackers.

3. Orchestration Layer

The orchestration layer manages the deployment, scaling, and operation of containerized applications across clusters. Platforms like Kubernetes automate these processes, but they also introduce new security considerations. Securing the orchestration layer is essential because it serves as the control plane for containerized environments and has privileged access to workloads and infrastructure.

Dangers:

  • Privilege escalation: Compromised orchestration components can allow attackers to gain control over containers or the host system.
  • Insecure configurations: Misconfigured access controls, overly permissive roles, or exposed APIs can be exploited to manipulate workloads.
  • Supply chain attacks: Attackers may target orchestration tools themselves, injecting malicious components during updates or deployments.

4. Deployment

Deployment in a containerized environment involves orchestrating the creation, scaling, and management of containers. Securing deployment processes ensures that only vetted configurations and images are used, reducing the likelihood of introducing vulnerabilities. Proper deployment security also ensures that containers run with the least privilege necessary, minimizing potential damage from a breach.

Dangers:

  • Unauthorized changes: Without proper deployment security, unauthorized changes to deployment configurations can introduce vulnerabilities.
  • Misconfiguration: Incorrectly configured deployments can expose containers to unnecessary risks, such as open network ports or excessive privileges.
  • Insecure environments: Deploying containers in an unsecured environment can lead to data leaks, unauthorized access, and other security breaches.

5. Runtime

Runtime security focuses on protecting containers while they are executing. This involves monitoring and restricting container activities to prevent unauthorized access and malicious behavior. Ensuring runtime security is vital because containers, once running, interact with the host system and other containers, making them potential targets for attacks.

Dangers:

  • Escalation of privileges: A compromised container at runtime can attempt to escalate its privileges to gain broader access within the environment.
  • Lateral movement: Attackers can move laterally from a compromised container to other containers or the host system, increasing the attack scope.
  • Resource exploitation: Malicious actors can exploit container resources, leading to denial-of-service attacks or unauthorized data extraction.

6. Secrets

Secrets management involves handling sensitive data such as API keys, passwords, and certificates. Properly securing secrets is critical to prevent unauthorized access and ensure that sensitive information is only available to containers that require it. Effective secrets management helps maintain the confidentiality and integrity of applications running in containers.

Dangers:

  • Exposure of sensitive data: Inadequately protected secrets can be exposed, leading to unauthorized access to critical systems and data.
  • Insider threats: Insiders with access to poorly managed secrets can misuse them for malicious purposes.
  • Improper storage: Storing secrets directly within container images or environment variables can lead to unintentional exposure.

7. Network

Network security in containerized environments involves securing the communication between containers and external entities. This includes implementing network policies to control traffic flow and using encryption to protect data in transit. Securing the network is essential to prevent unauthorized access and data breaches, ensuring that containerized applications can communicate safely and reliably.

Dangers:

  • Man-in-the-Middle (MitM) Attacks: Unsecured communication channels can be intercepted, allowing attackers to eavesdrop on or manipulate data.
  • Unrestricted traffic: Without proper network policies, unauthorized traffic can flow between containers, increasing the risk of lateral movement and data breaches.
  • External threats: Containers exposed to the internet without adequate protection can be targeted by external attackers.

8. Storage

Storage security ensures that the persistent data managed by containers is protected. This includes securing the underlying storage infrastructure and ensuring that access controls are in place to prevent unauthorized data access. Proper storage security is crucial because containers often store critical application data that must be safeguarded against breaches and unauthorized modifications.

Dangers:

  • Data loss: Inadequate storage security can result in data corruption or loss, affecting application functionality and data integrity.
  • Unauthorized access: Improperly secured storage can be accessed by unauthorized users, leading to data theft or manipulation.
  • Persistent threats: Attackers can persist in the environment by exploiting unsecured storage to plant malware or backdoors.

Container Security Challenges

Here are some of the main elements that can hinder security in containerized environments:

  • Monitoring and visibility: Containers are highly dynamic and ephemeral, often spinning up and shutting down rapidly. This makes it difficult for security teams to maintain consistent visibility, creating potential blind spots in monitoring activities.
  • Vulnerability identification and mitigation: Containers frequently rely on images from public registries, which may contain outdated or insecure components. Identifying and addressing these vulnerabilities and misconfigurations is critical to prevent exposure.
  • Contextual risk evaluation: Security teams must assess vulnerabilities based on their potential impact within a specific container environment. Without proper context, it’s challenging to prioritize and remediate risks effectively.
  • Shift-left security integration: Embedding security early in the development lifecycle remains a significant hurdle. Many organizations struggle to implement security practices during the build and deployment phases, increasing the likelihood of issues reaching production.
  • Regulatory compliance: Meeting compliance requirements such as PCI-DSS, HIPAA, or GDPR can be complex in containerized environments due to their dynamic nature and shared infrastructure.
  • Runtime threats: Containers in operation are vulnerable to attacks that may evade static security measures. Real-time monitoring and anomaly detection are needed to identify and respond to these runtime risks.
  • Multi-tenancy risks: In multi-tenant environments, multiple applications or users share the same container infrastructure. Without proper isolation, there’s a risk of unauthorized access to sensitive data or resources across tenants.

Key Features of Container Security Tools

To effectively secure containerized environments, organizations rely on specialized tools designed to address the unique risks containers present. These tools offer a wide range of features that span the entire container lifecycle—from development to deployment and runtime.

Below are the essential capabilities to look for in a container security solution:

  • Network segmentation and microsegmentation: Implements network policies that restrict traffic between containers and services. Supports zero-trust models and minimizes lateral movement in case of a breach.
  • Policy enforcement: Enables administrators to define and enforce security policies across build, deploy, and runtime stages. Common policies include whitelisted images, privilege restrictions, and mandatory vulnerability thresholds.
  • Image scanning: Automatically scans container images for known vulnerabilities, outdated libraries, and configuration issues before deployment. Helps ensure only secure images enter production.
  • Runtime protection: Monitors container behavior in real-time, detecting anomalies, unauthorized access, and malicious activity. Includes features like syscall filtering and runtime policy enforcement.
  • Secrets management integration: Provides secure handling and injection of sensitive information such as API keys and certificates. Integrates with secret stores to ensure secrets are not hardcoded or exposed in images.
  • Compliance and audit logging: Tracks and logs all activity for compliance with standards like PCI-DSS, HIPAA, or GDPR. Offers detailed audit trails for forensic analysis and regulatory reporting.
  • CI/CD integration: Seamlessly integrates with continuous integration and delivery pipelines to shift security left. Ensures that security checks are part of the development lifecycle.
  • Threat intelligence and anomaly detection: Leverages up-to-date threat intelligence feeds to detect emerging threats. Uses machine learning to identify deviations from normal container behavior.
  • Support for Kubernetes and orchestration layers: Provides visibility and control over Kubernetes resources, policies, and runtime behaviors. Ensures secure orchestration of container workloads across clusters.
  • Automated remediation: Offers mechanisms to automatically respond to detected threats, such as killing malicious containers, isolating workloads, or triggering alerts and workflows.

Container Security vs. VM Security

While containers and virtual machines (VMs) share some security principles, they differ in architecture and threat models.

VMs provide hardware-level isolation through hypervisors, which separate guest operating systems from the host. This isolation limits the impact of a compromised VM on other workloads. Containers, however, share the same host kernel and use namespaces and control groups for isolation. This lightweight approach increases performance and density but expands the attack surface if kernel vulnerabilities are exploited.

In containerized environments, security relies heavily on maintaining strict configurations, minimizing privileges, and ensuring robust network segmentation. Traditional VM security practices like antivirus software or host-based firewalls are insufficient for containers due to their ephemeral and distributed nature.

Additionally, container environments require stronger emphasis on supply chain security (e.g., scanning images and validating registries), orchestration layer protection (e.g., Kubernetes RBAC hardening), and runtime monitoring to detect lateral movement within clusters.

Container Security Best Practices

1. Securing Images

Container images are used to create containers. A misconfiguration or malicious activity in container images can introduce vulnerabilities into containers deployed in production. To ensure the health of your containerized workloads and applications, you need to secure container images. Here are several ways to do this:

  • Include your application in a container image – A container image holds a subset of the operating system along with the application designed to run in the container. Each library and tool you pull into the image poses a potential threat. To mitigate these threats, you need to include the application within the container image. This should be a statically compiled binary that contains all required dependencies.
  • Include as little as possible – Remove all components the application does not need. For example, remove the “sed” and “awk” binaries, which are present by default on any UNIX system. This can help you reduce the attack surface.
  • Use trustworthy images – If you are not creating the image from scratch, you should choose images that are trustworthy. Public image repositories, such as Docker Hub, can be used by anyone and may contain malware or misconfigurations.

Related content: Read our guide to container security scanning

2. Securing Registries

Container images are usually stored in private or public registries. It is critical to secure these registries to ensure all team members and collaborators are using images that are as free of vulnerabilities as possible. Here are several ways to secure container registries:

  • Use access control – If you have your own private registry, you need to establish access controls that define exactly who can access and publish images and who cannot perform these actions. Access control is a basic security measure that can prevent unauthorized parties from modifying, publishing, or deleting your images.
  • Sign your images – Signatures help track images to the people who signed them. This makes it difficult to substitute the signed image for a compromised one. The Docker Content Trust mechanism provides information about signing images. You can also use Notary, an open-source tool that helps you sign and verify images.
  • Scan your images – Vulnerability scanners are designed to identify known vulnerabilities. These tools can help you find critical vulnerabilities and detect critical threats. You can use scanners on a continuous basis to ensure that your registries do not contain critical vulnerabilities.

3. Securing Deployment

Here are several methods that can help you secure your deployments:

  • Secure the target environment – You can do this by hardening the underlying host operating system. You can also establish firewall and VPC rules or create special accounts that limit access.
  • Use an orchestration platform – These systems usually provide secure API endpoints as well as role-based access control (RBAC), which can help minimize the risk of unauthorized access.
  • Use immutable deployments – This involves creating an instance image during your build steps. Your deployment can then use this image to create new instances. To update the application, you need to create new images, spin up new instances, and then destroy the old ones.

4. Securing Container Runtime

Here are several best practices that can help you secure runtime:

  • Create separate virtual networks for your containers – This introduces a level of isolation that can reduce the attack surface.
  • Apply the principle of least privilege – Allow connectivity only between containers that truly need it.
  • Expose only the ports that serve the application – Do not expose any other ports, except for SSH. Apply this principle to containers as well as the underlying machines.
  • Use TLS to secure communication between services – This process encrypts traffic and ensures only authorized endpoints are allowed.
  • Use the Docker Image policy plugin – This plugin is designed to prevent any process from pulling images that were not previously allow-listed.

Learn more in our detailed guide to Docker security

5. Securing Kubernetes

Here are several best practices to help you secure Kubernetes:

  • Enable TLS everywhere – You should enable TLS for all supported components to defend against traffic sniffing and authenticate identities at both ends of each connection.
  • Use a service mesh architecture – Service meshes are networks of persistent encrypted connections between high-performance sidecar proxies. They provide traffic monitoring, management, and policy enforcement without affecting microservices.
  • Use OPA – Open Policy Agent (OPA) enforces custom policies on a Kubernetes object without reconfiguring or recompiling the Kubernetes API server.
  • Apply network policies – The default Kubernetes networking permits all traffic between pods, but you can restrict this with a network policy.
  • Implement private networks – Deploy each Kubernetes worker and master node on a private subnet to secure the connections to corporate networks, make nodes unreachable from the public Internet, and minimize your overall attack surface.
  • Keep the etcd cluster separate – Use a firewall to protect the etcd cluster, which stores state and secret information and requires special protection compared to other Kubernetes components.
  • Ensure the regular rotation of encryption keys – Regularly rotating encryption keys and certificates helps minimize the blast radius of an attack that compromises keys.
  • Use static analysis for YAML – Statically analyze where pod security policies deny access to API servers. This should be part of the development workflow because it helps identify the organization’s risk tolerance and compliance requirements.
  • Manage secrets – Integrate clusters using a secret management system to ensure application pods automatically receive all secrets and passwords needed at runtime (based on the app roles associated with each pod).
  • Check the code – Scan the code and use static analysis to ensure automation security. You must scan the source code for all application code in Kubernetes to identify vulnerabilities and hard-coded errors.
  • Use RBAC policies based on the principle of least privilege – Role-based access control (RBAC) helps manage access policies at a granular level to protect resources. A centralized authentication and authorization system like SSO throughout the organization makes onboarding and offboarding easier.
  • Use third-party authorization for API servers – You can manage and secure Kubernetes API access by creating detailed auth policies and applying advanced, full-featured verification technologies.

Learn more in our detailed guide to Kubernetes security

6. Using Thin, Short-Lived Containers to Reduce Your Attack Surface

Containers are designed to be ephemeral and lightweight. They are not supposed to be used like servers. You should not constantly add files to the container or update only every couple of weeks or months. This approach can weaken your security posture because, essentially, you are creating a larger attack surface that is not maintained on a regular basis.

You should strive to minimize the number of components in each container and keep all containers as thin as possible. This approach can help reduce the attack surface. Additionally, when identifying vulnerabilities in standard images, you should quickly resolve the issue and then deploy a new, clean container.

7. Using Container Security Tools

Container orchestration platforms, like Kubernetes, provide native security capabilities. However, these controls are not enough to ensure the security and health of containerized applications. A particular challenge is ensuring that none of the third-party software components included in the workload contain critical vulnerabilities.

Containers can be vulnerable to rogue processes, which may be able to bypass isolation and gain unauthorized access to other containers and container images. If a container image includes a vulnerability, it may be deployed in applications. Additionally, misconfigured permissions might multiply these issues.

You can mitigate security risks by using container security tools, which can help you manage access, test security, and protect your infrastructure. You can employ tools that help you gain visibility into activity across your containerized applications. Testing features can help you develop security policies, simulate attacks from common threat sources, and discover zero-day vulnerabilities.

Related content: Read our guide to container security tools

8. Monitoring Container Activity

Containerized workloads are highly dynamic. One container image often has multiple running instances. Additionally, new images and new versions are deployed at a high-paced speed. Issues can, therefore, quickly propagate across multiple containers and applications. This is why it is highly critical to identify these issues quickly and remediate each issue at the source.

Containerized workloads require a granular level of monitoring, to provide visibility for IT and security teams into elements running inside the environment.

Monitoring tools enable seamless container security and operations. They help identify anomalous behaviors and respond to events in a timely and appropriate manner. For example, the timely identification of a faulty image can ensure that admins quickly fix it and rebuild all relevant containers using the new image.

To maintain security, you should implement security practices and tools that can help you achieve observability for the following components:

  • Master nodes (when using a container orchestration platform like Kubernetes)
  • Container engines
  • Workloads running in containers
  • Containerized middleware and networking

Related content: Read our guide to Docker container monitoring

4 Common Container Security Mistakes to Avoid

Here are several common container security pitfalls to avoid:

  • Forgetting basic security hygiene – Containers are generally considered a new technology, which requires the use of new security methods. However, certain security fundamentals still apply. For example, you need to keep all systems patched and up-to-date, including operating systems and container runtimes.
  • Failure to harden and configure tools and environments – Container orchestration platforms offer a set of unique security capabilities. However, to ensure security, you need to properly configure them for each environment. You should never run security configurations using a platform’s default settings. For example, you should grant containers only the privileges needed to run. This can significantly minimize risks associated with privilege escalation attacks.
  • Failure to log, monitor, and test – When you first run containers in production, you might lose visibility into the health of your application and environments. If this occurs and you do not catch the issue in time, you might run into critical risks. This is especially important for highly distributed systems spanning multiple clouds and on-premise infrastructure. You need to make sure you have properly configured monitoring, logging, and testing. This can help minimize the amount of unknown vulnerabilities as well as reduce other blind spots.
  • Failure to secure all phases of the CI/CD pipeline – Do not ignore other components of your software development pipeline. You can avoid this issue by implementing a “shift left” philosophy, which means you implement security early in the development cycle. This often requires consistently applying relevant tools and policies across the pipeline and making changes as needed.

A Quick Guide to Secure Image Development

While it is critical to scan images, that alone is not enough. You should aim to shift image security left, avoid using unsafe images in the first place, and take care not to add vulnerable components to new images you create. Here are a few steps you can use to improve the security of your container images early in the development process.

Secure Code Running in Containers

Containers are intended to run software applications. Typically, these applications will consist of a combination of proprietary code and open source components. It is important to realize that a critical part of securing images is ensuring the code packaged within them is secure.

A variety of automated tools are available that can help you scan your code for vulnerabilities:

  • Software Composition Analysis (SCA) can help discover vulnerabilities in open source components
  • Static Application Security Testing (SAST) can scan your proprietary code for security flaws, bugs, and code quality issues
  • Dynamic Application Security Testing (DAST) can help you test the application at runtime to discover exploitable vulnerabilities

It is important to have these or similar tools as a mandatory step in your CI/CD pipeline, to ensure that all code you add to a container image is known to be safe.

Use Minimal Base Images

Almost all container images are derived from a base image (this is the FROM line in the Dockerfile). There are a huge number of public images to choose from when selecting your base image. Compare all the images that meet your needs and select the minimal image—the one with the smallest footprint and fewest features, components, and dependencies.

Selecting a minimal image will reduce your attack surface from the outset. It will also make your containers more lightweight and improve resource utilization. Remember that a base image can run in hundreds or even thousands of containers and the overhead adds up.

Use Trusted Images

Never use container images from unknown publishers in public repositories. There are a few sources of trusted images where there is some assurance that the image does not contain vulnerabilities and has not been tampered with by attackers. For example:

  • Docker Hub Official Images are curated by Docker experts and tested for functionality and security.
  • The Docker Verified Publishers badge means that an image is high-quality, and is directly maintained by a company affiliated with Docker. For example, a MySQL image that is directly maintained by Oracle.
  • You can use Notary or similar tools to verify that an image was signed by a trusted entity and has not been changed.

Be Aware of Container Image Layers

In a Dockerfile, you start from a base image and then add additional components needed for your containers to function. You do this using RUN, COPY, and ADD commands. Technically, each of these commands adds another layer to the container image, and each layer creates a new attack surface.

It is important to be aware of the layers you are adding to your containers, and reduce security risks using these guidelines:

  • Ensure each layer adds exactly the tools you need for the relevant stage of the development lifecycle and no more.
  • Ensure tools or components added in these middle layers use the latest version and do not themselves have security vulnerabilities.
  • Most of the tools will only be needed in development and testing stages—remove them in production. The best way to do this is to use a multi-stage build.

Improving Container Security with Calico

Calico Cloud offers active build, deploy and runtime security for containers and Kubernetes.

  • Build – With Calico’s Image Assurance, DevOps teams can secure the build pipeline with an integrated Image Scanner, an admission controller to automatically block vulnerable images from being deployed, and a runtime view of high-risk workloads in the application to prioritize remediation activities.
  • Deploy – Detect configuration violations and misconfigurations in the Kubernetes environment to prevent breaches. Calico can generate CIS benchmark reports to conform to security best practices.
  • Runtime – Protect container workloads from network-based and container-based threats with zero-trust workload access controls, malware protection, and identity-based microsegmentation. Calico uses machine learning and global threat feeds to detect anomalies and zero-day threats in containerized applications.

Visit our container security solutions page to learn more about Calico Cloud’s container security features.

Next Steps

See Additional Guides on Key Kubernetes Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of Kubernetes.

Kubernetes Networking

Authored by Tigera

Kubernetes Security

Authored by Tigera

Argo CD

Authored by Codefresh

Copyright © Tigera, Inc. All rights reserved.