Container Security: Hardening Your Docker & Kubernetes

Container Security Best Practices 🔐

Image Security

Scan for Vulnerabilities

docker run --rm -v /var/run/docker.sock:/var/run/docker.sock aquasec/trivy image myapp:latest

# Critical vulnerabilities found

Use Distroless Images

FROM python:3.11 AS builder
COPY requirements.txt .
RUN pip install -r requirements.txt

FROM gcr.io/distroless/python3-nonroot
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
COPY app.py /app.py
ENTRYPOINT ["python", "/app.py"]

Sign Images

cosign sign --key cosign.key myapp:latest
cosign verify --key cosign.pub myapp:latest

Kubernetes Pod Security

SecurityContext

apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1000
    fsGroup: 2000
  containers:
  - name: app
    image: myapp:latest
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop:
          - ALL
    volumeMounts:
    - name: tmp
      mountPath: /tmp
  volumes:
  - name: tmp
    emptyDir: {}

Pod Security Standards

apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
  name: restricted
spec:
  privileged: false
  allowPrivilegeEscalation: false
  requiredDropCapabilities:
    - ALL
  volumes:
    - 'configMap'
    - 'emptyDir'
    - 'projected'
    - 'secret'
    - 'downwardAPI'
    - 'persistentVolumeClaim'
  runAsUser:
    rule: 'MustRunAsNonRoot'

Network Security

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: app-netpol
spec:
  podSelector:
    matchLabels:
      app: myapp
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
      - namespaceSelector:
          matchLabels:
            name: production
      ports:
      - protocol: TCP
        port: 8080
  egress:
    - to:
      - namespaceSelector:
          matchLabels:
            name: production
      ports:
      - protocol: TCP
        port: 5432

Runtime Security

AppArmor/SELinux

# Check AppArmor status
aa-status

# Load profile
apparmor_parser /etc/apparmor.d/docker-profile

Resource Limits

resources:
  requests:
    memory: "64Mi"
    cpu: "250m"
  limits:
    memory: "128Mi"
    cpu: "500m"

Supply Chain Security

• ✅ Signed images
• ✅ Verified base images
• ✅ SBOMs (Software Bill of Materials)
• ✅ Attestations
• ✅ Image provenance

Security Checklist

• ✅ No root container
• ✅ Image scanned for vulnerabilities
• ✅ Secrets not in image
• ✅ Read-only filesystem
• ✅ Capabilities dropped
• ✅ Network policies enforced
• ✅ Resource limits set
• ✅ Pod security policies in place