Guides

Docker Security

Docker Security: 5 Risks and 5 Best Practices for Securing Your Containers

What Is Docker Security?

Docker security encompasses the runtime, build, and orchestration of containers. Security aspects include base images, the Dockerfile, the container runtime, and securing the Docker daemon. You should also ensure proper configuration of container isolation, user privileges, and security best practices for container orchestration at scale.

Additional aspects of container security are securing Docker Hub to mitigate supply chain risks, and securing Helm charts and Kubernetes clusters used to orchestrate Docker containers.

In this article:

5 Security Risks in Docker Container Deployment and How to Mitigate Them

Here are some of the major security risks affecting Docker deployments.

Unrestricted Traffic and Unsafe Communication

What is the risk?

Some Docker versions allow all network traffic on the same host by default, which can result in unintentional exposure of data to the wrong containers.

How to mitigate
Link the desired containers to restrict container access and reduce the attack surface, enabling only necessary and desired communication.
Encrypt Docker registry communication using TLS to protect network traffic integrity and confidentiality.
Evaluate the effectiveness of your existing controls and apply controls specific to Docker to mitigate business risks.

Vulnerable and Malicious Container Images

What is the risk?
There are more than 100,000 open-source container repositories hosted in the Docker Hub registry, including modified and unofficial versions of common images. Docker Hub is open to everyone, so you should make sure you trust the publisher when you deploy a new repo.

How to mitigate
Avoid untested or untrusted builds to prevent the introduction of vulnerabilities and malicious code.
A safe option is to use Docker certified and Docker Store packages.
Paid plans on Docker Hub offer a security scanning tool that checks for known vulnerabilities in images.
You can also use a trusted third-party registry with built-in scanning.

Unrestricted Access

What is the risk?
Attackers can often gain access to multiple containers once they’ve gained a foothold in the host. If a container can access the system file directory, it can undermine security enforcement. Attackers with root access to containers can sometimes gain root access to the host.

How to mitigate
Apply the principle of least privilege and eliminate root access where possible. For instance, you can enable the user namespace feature to provide separate user accounts for isolated containers to restrict movement between containers.

Host Kernel Vulnerabilities

What is the risk?
The kernel is exposed to the host and all containers, so kernel vulnerabilities are especially critical. If a container causes a kernel panic, it can take down the entire host.

How to mitigate
Ensure host operating systems are up to date and vigilantly apply security updates
Use a minimal operating system with hardened configuration
To prevent attackers from exploiting the kernel, you can leverage virtual machines (VMs), which require any attack to be routed through both the hypervisor and VM kernel to reach the host kernel.

Breaking Out of Containers

What is the risk?
While container breakouts are rare, they are not impossible. Attackers should not be able to access the host or other containers from a compromised container. Users are not namespaced by default, so if a process breaks out of a container, it maintains container host privileges. Root access in the container will become root access on the host—enabling privilege escalation.

How to mitigate
Never grant root access on the host to a container process. Containers should always run as non-root users. Refer to the Docker CIS Benchmark for additional ways to securely configure a Docker container to prevent container breakout.

6 Docker Container Security Best Practices

When using Docker containers, you should use the following practices to ensure maximum security.

1. Avoid Root Permissions

Running a Docker container with root permissions may be the easiest way to get it to function properly, as you don’t have to deal with complex permission management. However, there are few justifications for running containers as root in a production environment.

Docker containers don’t run as root by default, so you don’t have to change the default configuration, but you should avoid giving root permissions. When using Kubernetes, you can increase security by creating a pod security policy with the MustRunAsNonRoot directive—this explicitly blocks admins from starting containers with root privileges.

2. Use Secure Container Registries

Container registries allow you to download container images easily from a central repository, making them both convenient and potentially risky. For this reason, it is better to stick to trusted registries like Docker Trusted Registry. You should assess the security of any registry you use and install it behind a firewall to protect against web-based breaches.

Avoid letting anyone download or upload container images from your registry. Implement role-based access control (RBAC) to define which users can access what resources, and block all other access. It may be inconvenient to manage and configure access rules for new users, but this can help you prevent a registry breach.

3. Limit Resource Usage

Docker allows you to set resource quotas for each container, limiting its memory and CPU resource consumption. Resource quotas help keep the Docker environment efficient by preventing a single container from consuming too many system resources. They also enhance security by blocking attacks that seek to disrupt your services by hogging a large number of resources.

4. Scan Your Images

Keep your Docker images secure with regular vulnerability scans. It is important to scan all images when you download them and continue scanning them to reduce exposure. Periodic scanning allows you to keep your images updated and audit critical directories and files.

Related content: Read our guide to container security scanning

5. Build Your Networks and APIs for Security

Docker containers use networks and application programming interfaces (APIs) to communicate with each other. This communication allows containers to run properly but also requires proper monitoring and security policies. You should design these resources to facilitate monitoring and allow you to block breaches quickly.

6. Docker Container Monitoring

Monitoring is an essential part of any security strategy. In a containerized application, monitoring can be challenging, because of the large number of moving parts and the use of immutable components. Specialized container monitoring tools can help you gain visibility and achieve observability over containerized workloads.

Related content: Read our guide to Docker container monitoring

Docker Security with Calico

Calico Enterprise and Calico Cloud offer the following unique features for container and cloud-native security:

  • Microsegmentation across host/VMs/containers – Deploy a scalable, unified microsegmentation model for hosts, VMs, containers, pods, and services that works across all your environments.
  • Workload access controls – Securely and granularly control workload access between Kubernetes clusters and external resources like APIs and applications.
  • Intrusion detection and prevention (IDS/IPS) – Detect and mitigate Advanced Persistent Threats (APTs) using machine learning and a rule-based engine that enables active monitoring.
  • Firewall integration – The Calico Egress Gateway provides universal firewall integration, enabling Kubernetes resources to securely access endpoints behind a firewall. This allows you to extend your existing firewall manager and zone-based architecture to Kubernetes for cloud-native architecture.
  • Encryption – Calico utilizes WireGuard to implement data-in-transit encryption. WireGuard runs as a module inside the Linux kernel and provides better performance and lower CPU utilization than IPsec and OpenVPN tunneling protocols. Calico supports WireGuard for self-managed environments such as AWS, Azure, and Openshift, and managed services such as EKS and AKS.

Next Steps

Join our mailing list​

Get updates on blog posts, workshops, certification programs, new releases, and more!