7 Container Security Best Practices You Must Know

What Is Container Security?

The purpose of container security is to protect containerized environments, which are much more complex than traditional workloads. Production environments deploy massive amounts of containers. Security experts and administrators need to secure more components in a containerized environment than they would in traditional deployments.

Container security involves the implementation and maintenance of security controls that protect containers and the underlying infrastructure. Integrating security into the development pipeline can help ensure that all components are secured from the initial development phase and until the end of their lifecycle.

In this article, you’ll learn about the following container security best practices:

1. Securing Images
2. Securing Registries
3. Securing Deployment
4. Securing Runtime
5. Using Thin, Short-Lived Containers to Reduce Your Attack Surface
6. Using Container Security Tools
7. Monitoring Container Activity

You’ll also learn about:

• Container Security Challenges
• Improving Container Security with Calico

Container Security Challenges

Containers offer many advantages, but also pose certain security challenges that can be difficult to overcome. Perhaps the most noticeable security challenge is the larger attack surface containers create, as opposed to traditional workloads, because of the large number of containers based on many different underlying images, each of which can have vulnerabilities.

Another key issue is the underlying kernel architecture shared by containers. Securing the host is not enough to ensure protection. You also need to maintain secure configurations to limit container permissions and ensure proper isolation between containers.

Because containerized environments are highly dynamic, containerized workloads also pose visibility challenges. This is because traditional monitoring tools may not be able to see which containers are running, what they are running, or scrutinize their network behavior. It is critical to improve visibility as much as possible to ensure timely remediation and prevent breaches.

Container Security Best Practices

1. Securing Images

Container images are used to create containers. A misconfiguration or malicious activity in container images can introduce vulnerabilities into containers deployed in production. To ensure the health of your containerized workloads and applications, you need to secure container images. Here are several ways to do this:

• Include your application in a container image – A container image holds a subset of the operating system along with the application designed to run in the container. Each library and tool you pull into the image poses a potential threat. To mitigate these threats, you need to include the application within the container image. This should be a statically compiled binary that contains all required dependencies.
• Include as little as possible – Remove all components the application does not need. For example, remove the “sed” and “awk” binaries, which are present by default on any UNIX system. This can help you reduce the attack surface.
• Use trustworthy images – If you are not creating the image from scratch, you should choose images that are trustworthy. Public image repositories, such as Docker Hub, can be used by anyone and may contain malware or misconfigurations.

2. Securing Registries

Container images are usually stored in private or public registries. It is critical to secure these registries to ensure all team members and collaborators are using images that are as free of vulnerabilities as possible. Here are several ways to secure container registries:

• Use access control – If you have your own private registry, you need to establish access controls that define exactly who can access and publish images and who cannot perform these actions. Access control is a basic security measure that can prevent unauthorized parties from modifying, publishing, or deleting your images.
• Sign your images – Signatures help track images to the people who signed them. This makes it difficult to substitute the signed image for a compromised one. The Docker Content Trust mechanism provides information about signing images. You can also use Notary, an open-source tool that helps you sign and verify images.
• Scan your images – Vulnerability scanners are designed to identify known vulnerabilities. These tools can help you find critical vulnerabilities and detect critical threats. You can use scanners on a continuous basis to ensure that your registries do not contain critical vulnerabilities.

3. Securing Deployment

Here are several methods that can help you secure your deployments:

• Secure the target environment – You can do this by hardening the underlying host operating system. You can also establish firewall and VPC rules or create special accounts that limit access.
• Use an orchestration platform – These systems usually provide secure API endpoints as well as role-based access control (RBAC), which can help minimize the risk of unauthorized access.
• Use immutable deployments – This involves creating an instance image during your build steps. Your deployment can then use this image to create new instances. To update the application, you need to create new images, spin up new instances, and then destroy the old ones.

4. Securing Runtime

Here are several best practices that can help you secure runtime:

• Create separate virtual networks for your containers – This introduces a level of isolation that can reduce the attack surface.
• Apply the principle of least privilege – Allow connectivity only between containers that truly need it.
• Expose only the ports that serve the application – Do not expose any other ports, except for SSH. Apply this principle to containers as well as the underlying machines.
• Use TLS to secure communication between services – This process encrypts traffic and ensures only authorized endpoints are allowed.
• Use the Docker Image policy plugin – This plugin is designed to prevent any process from pulling images that were not previously allow-listed.

5. Using Thin, Short-Lived Containers to Reduce Your Attack Surface

Containers are designed to be ephemeral and lightweight. They are not supposed to be used like servers. You should not constantly add files to the container or update only every couple of weeks or months. This approach can weaken your security posture because, essentially, you are creating a larger attack surface that is not maintained on a regular basis.

You should strive to minimize the number of components in each container and keep all containers as thin as possible. This approach can help reduce the attack surface. Additionally, when identifying vulnerabilities in standard images, you should quickly resolve the issue and then deploy a new, clean container.

6. Using Container Security Tools

Container orchestration platforms, like Kubernetes, provide native security capabilities. However, these controls are not enough to ensure the security and health of containerized applications. A particular challenge is ensuring that none of the third-party software components included in the workload contain critical vulnerabilities.

Containers can be vulnerable to rogue processes, which may be able to bypass isolation and gain unauthorized access to other containers and container images. If a container image includes a vulnerability, it may be deployed in applications. Additionally, misconfigured permissions might multiply these issues.

You can mitigate security risks by using container security tools, which can help you manage access, test security, and protect your infrastructure. You can employ tools that help you gain visibility into activity across your containerized applications. Testing features can help you develop security policies, simulate attacks from common threat sources, and discover zero-day vulnerabilities.

7. Monitoring Container Activity

Containerized workloads are highly dynamic. One container image often has multiple running instances. Additionally, new images and new versions are deployed at a high-paced speed. Issues can, therefore, quickly propagate across multiple containers and applications. This is why it is highly critical to identify these issues quickly and remediate each issue at the source.

Containerized workloads require a granular level of monitoring, to provide visibility for IT and security teams into elements running inside the environment.

Monitoring tools enable seamless container security and operations. They help identify anomalous behaviors and respond to events in a timely and appropriate manner. For example, the timely identification of a faulty image can ensure that admins quickly fix it and rebuild all relevant containers using the new image.

To maintain security, you should implement security practices and tools that can help you achieve observability for the following components:

• Master nodes (when using a container orchestration platform like Kubernetes)
• Container engines
• Workloads running in containers
• Containerized middleware and networking

Related content: Read our guide to Docker container monitoring

Improving Container Security with Calico

Calico Enterprise and Calico Cloud offer the following unique features for container security:

• Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.
• Default-deny – Calico implements least privilege access controls by denying all network traffic by default and only allowing connections that have been authorized. This applies to traffic between microservices as well as ingress and egress outside the cluster.
• Firewall integration – The Calico Egress Gateway provides universal firewall integration, enabling Kubernetes resources to securely access endpoints behind a firewall. This allows you to extend your existing firewall manager and zone-based architecture to Kubernetes for cloud-native architecture.
• Egress Gateway – Enforce workload access controls from a firewall outside the cluster.
• Intrusion detection and prevention (IDS/IPS) – Detect and mitigate Advanced Persistent Threats (APTs) using machine learning and a rule-based engine that enables active monitoring.

Next Steps

• Read about workload access controls for cloud workload protection
• Read about audit and compliance, including PCI, SOC 2, HIPAA, and GDPR
• Read about extending enterprise security controls to the cloud