Guides

Container Security

What is Container Security?

The Challenge of Container Security

Containers are immutable. This means that each change to the application or microservice involves updating the container image and launching new containers. This type of environment is highly dynamic and requires continuous monitoring, observability, and security.

Container security is a continuous practice, which should be fully integrated into the entire development cycle. By implementing security as an integral part of your continuous deployment cycle, you can mitigate risk and reduce the number of vulnerabilities across a dynamic and complex attack surface.

To ensure efficiency, you should automate manual touch points. This includes not only development tasks, but also those related to the operation and maintenance of the underlying infrastructure. For example, you should protect your build pipeline container images as well as the runtime host, your chosen platform, and all application layers.

In this article:

Securing Docker

Docker is a popular open source container engine. Docker popularized containerized infrastructure and took DevOps automation to the next level, but at the same time, it created new attack surfaces. To secure Docker, you must harden several layers of your environment:

  • Container images – Scan images for vulnerabilities before using them to create Docker containers.
  • Containers – Monitor containers in runtime to discover security issues and unusual traffic that might indicate an attack. Learn more in our guide to Docker container monitoring.
  • Docker daemon – Ensure the daemon running containers on host machines is securely configured.
  • Hosts – Harden the hosts running your containers, ensuring they are securely configured and do not grant excessive privileges to containers.
  • Overlay networks and APIs – Ensure mechanisms used by containers to communicate are secured and authenticated.
  • Storage systems – Protect any storage system accessed by containers to prevent unauthorized access.

Learn more in our detailed guide to Docker security

Securing Kubernetes

Kubernetes is an open-source container management platform that offers a rich set of capabilities. You can define a wide range of policies and then let the platform automatically enforce these operational and security baselines.

Together, the registry and orchestrator enable automated enforcement of a set of container security and quality standards. These standards are applied before and during any redeployment into the environment.

Kubernetes offers security features, but it is not secure by default. Standards like the Kubernetes CIS Benchmark can help you understand how to securely configure Kubernetes. You need to enforce secure configuration when deploying new clusters and on an ongoing basis.

Learn more in our detailed guide to Kubernetes security

Securing the Container Stack

The container stack usually consists of container images, containers, a container engine (Docker), container runtime (runC), registries, hosts, and orchestrators. The following are several potential risks affecting the stack, and techniques that can help you overcome them.

Securing Container Images

Container images are just as likely to have vulnerabilities as any legacy code. To ensure you are not introducing critical issues into the production environment, you should scan images for both vulnerabilities and compliance issues. Vulnerability scanning tools produce a software bill of materials (BOM), which can help identify out-of-date or unwanted software libraries, malicious software (malware), and embedded secrets. You can then correlate risk to individual image layers to ensure you are securely building your images.

Remember that configuration drift—gradual, unplanned changes in configuration over time—can be a huge issue for containers. A scanned image may pass a vulnerability and compliance check today, but may not remain secure in the future. This is because new threat data can identify vulnerabilities in a component that was previously thought to be secure. To prevent this issue, you need to continuously monitor all images and containers.

Related content: Read our guide to container security scanning

Securing Container Runtimes

A container runtime is generally considered one of the most challenging components to secure. Traditional security technology was not designed to monitor running containers, so these tools cannot obtain visibility into containers or even establish solid baselines that model a secure container environment.

To secure containers, you need to establish behavioral baselines for your container environment in a normal and secure state. This can help detect and prevent anomalies and potential attacks. Runtime security requires you to focus on securing the application level, rather than relying mainly on network security tools.

Securing Container Registries

The management stack helps coordinate containers. It includes at least two pieces of infrastructure—a privacy container registry, such as Amazon ECS, and a container orchestrator (Kubernetes).

Container registries simplify the sharing of containers. This helps teams build on each other’s work. However, these containers must be secured, typically through the use of automated scanners that ensure all containers meet development and security baselines.

Automated scanners check each container for known malware, vulnerabilities, and exposed secrets. To reduce issues downstream, the check should run before making the container available in the registry.

To ensure your registry is protected, you need to run it on a secure cloud service or a hardened system. When using a cloud service, you must factor in the shared responsibility model of the cloud and implement your own strong role-based access control (RBAC) for the registry.

Securing Host Machines

Here are several practices that can help you secure container host machines:

  • Choose a suitable operating system – Ideally, prefer a distributed operating system optimized especially to run containers.
  • Harden the operating system – Implement security measures that protect the operating system. For example, when using stock Linux distributions or Microsoft Windows, you need to disable or remove any unnecessary services.
  • Add a layer of security and monitoring – These tools can help ensure that the host runs as expected. For example, you can use application control tools or an intrusion prevention system (IPS).

Once a container runs in production, it starts interacting with resources and other containers. You should monitor and secure this type of internal traffic by ensuring all network traffic from containers passes through an IPS. However, do not try to implement a small number of large traditional IPS engines on the perimeter. Instead, you should implement the IPS on each host. This allows effective monitoring of all traffic without significantly impacting performance.

A Quick Guide to Secure Image Development

While it is critical to scan images, that alone is not enough. You should aim to shift image security left, avoid using unsafe images in the first place, and take care not to add vulnerable components to new images you create. Here are a few steps you can use to improve the security of your container images early in the development process.

Secure Code Running in Containers

Containers are intended to run software applications. Typically, these applications will consist of a combination of proprietary code and open source components. It is important to realize that a critical part of securing images is ensuring the code packaged within them is secure.

A variety of automated tools are available that can help you scan your code for vulnerabilities:

  • Software Composition Analysis (SCA) can help discover vulnerabilities in open source components
  • Static Application Security Testing (SAST) can scan your proprietary code for security flaws, bugs, and code quality issues
  • Dynamic Application Security Testing (DAST) can help you test the application at runtime to discover exploitable vulnerabilities

It is important to have these or similar tools as a mandatory step in your CI/CD pipeline, to ensure that all code you add to a container image is known to be safe.

Use Minimal Base Images

Almost all container images are derived from a base image (this is the FROM line in the Dockerfile). There are a huge number of public images to choose from when selecting your base image. Compare all the images that meet your needs and select the minimal image—the one with the smallest footprint and fewest features, components, and dependencies.

Selecting a minimal image will reduce your attack surface from the outset. It will also make your containers more lightweight and improve resource utilization. Remember that a base image can run in hundreds or even thousands of containers and the overhead adds up.

Use Trusted Images

Never use container images from unknown publishers in public repositories. There are a few sources of trusted images where there is some assurance that the image does not contain vulnerabilities and has not been tampered with by attackers. For example:

  • Docker Hub Official Images are curated by Docker experts and tested for functionality and security.
  • The Docker Verified Publishers badge means that an image is high-quality, and is directly maintained by a company affiliated with Docker. For example, a MySQL image that is directly maintained by Oracle.
  • You can use Notary or similar tools to verify that an image was signed by a trusted entity and has not been changed.

Be Aware of Container Image Layers

In a Dockerfile, you start from a base image and then add additional components needed for your containers to function. You do this using RUN, COPY, and ADD commands. Technically, each of these commands adds another layer to the container image, and each layer creates a new attack surface.

It is important to be aware of the layers you are adding to your containers, and reduce security risks using these guidelines:

  • Ensure each layer adds exactly the tools you need for the relevant stage of the development lifecycle and no more.
  • Ensure tools or components added in these middle layers use the latest version and do not themselves have security vulnerabilities.
  • Most of the tools will only be needed in development and testing stages—remove them in production. The best way to do this is to use a multi-stage build.

Related content: Read our guide to container security best practices

Container Security Solutions

In the past few years, dedicated security solutions have emerged that can help secure containerized environments. Here are some of the commonly used types of container security solutions:

  • Container monitoring – Tools that can monitor containers during runtime to discover malicious traffic, misconfigurations, and vulnerabilities introduced over time.
  • Container scanning – Tools that can scan images for known security vulnerabilities. These tools should integrate into the CI/CD toolchain and enable scanning of container images during development, testing, and production stages.
  • Container firewalls – A dedicated component that regulates traffic to and from a container, as well as traffic on external networks and legacy applications. Container firewalls typically run as a “sidecar” alongside container workloads.
  • Container networking – Tools that can define security policies governing which users or entities can access containers, and establish microsegmentation to isolate sensitive workloads from the rest of the network.

Related content: Read our guide to container security tools

4 Common Container Security Mistakes to Avoid

Here are several common container security pitfalls to avoid:

  • Forgetting basic security hygiene – Containers are generally considered a new technology, which requires the use of new security methods. However, certain security fundamentals still apply. For example, you need to keep all systems patched and up-to-date, including operating systems and container runtimes.
  • Failure to harden and configure tools and environments – Container orchestration platforms offer a set of unique security capabilities. However, to ensure security, you need to properly configure them for each environment. You should never run security configurations using a platform’s default settings. For example, you should grant containers only the privileges needed to run. This can significantly minimize risks associated with privilege escalation attacks.
  • Failure to log, monitor, and test – When you first run containers in production, you might lose visibility into the health of your application and environments. If this occurs and you do not catch the issue in time, you might run into critical risks. This is especially important for highly distributed systems spanning multiple clouds and on-premise infrastructure. You need to make sure you have properly configured monitoring, logging, and testing. This can help minimize the amount of unknown vulnerabilities as well as reduce other blind spots.
  • Failure to secure all phases of the CI/CD pipeline – Do not ignore other components of your software development pipeline. You can avoid this issue by implementing a “shift left” philosophy, which means you implement security early in the development cycle. This often requires consistently applying relevant tools and policies across the pipeline and making changes as needed.

Container Security with Calico

Calico Enterprise and Calico Cloud offer the following unique features for container security:

  • Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
  • Default-deny – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.
  • Egress Gateway – The Calico Egress Gateway provides universal firewall integration, enabling Kubernetes resources to securely access endpoints behind a firewall. This allows you to extend your existing firewall manager and zone-based architecture to Kubernetes for cloud-native architecture.
  • Intrusion detection and prevention (IDS/IPS) – Detect and mitigate Advanced Persistent Threats (APTs) using machine learning and a rule-based engine that enables active monitoring.

Next Steps

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!