Embedded Files
Introduction
Introduction
Do you know container security need doesn't stop if your K8s platform is secure. Similarly, if you made your container secure, it doesn't mean that your K8s application is secure. In fact, container security relies on host environment, container, CRI and deployment as a holistic view.
Laymen explanation
Laymen explanation
If you have worked on container, you know hat your container runs as sandbox. Do you think that you will not get affected due to any other malicious container running in the same machine? In reality, it is not true. Below document talks about this aspect.
Technical explanation
Technical explanation
Container technology has radically changed the way that applications are being developed and deployed. Notably, containers dramatically ease dependency management, so shipping new features or code is faster than ever before. While Docker containers and Kubernetes are great for DevOps, they also present new security challenges that both security practitioners and developers must understand and address with diligence.
Core safety nets
Core safety nets
Update CRI (Docker, rkt) - Referring above mentioned docker CVE, it is important to keep docker version updated
Deploy Only Trusted Docker Images
A malicious container can be loaded if an attacker has replaced the original image with the malicious one
So, it is important to allow containers from trusted sources only
Start With A Clean OS build
It helps to ensure that host machine is secure from boot
Scan the Image For Known Vulnerabilities
Non-core safety nets
Non-core safety nets
Network policy
Network policy
Use right network policy to avoid any unwanted access to container environment. Please refer herefor network policy support in Kubernetes.
Secure container secret
Secure container secret
Ensure that container secrets are safely provided to container. For example, backing to image or providing as ENV variable is not recommened. Refer here for detailed info
Secure API endpoints with HTTPS and certificates
Secure API endpoints with HTTPS and certificates
Client-Server communication should be secure
Disable access to docker server from within container
Disable access to docker server from within container
Unix socket (/var/run/docker.sock) is used by docker client to connect with Docker engine
Use SELinux to restrict containers to mount this unix socket inside container
Non-root user
Non-root user
A root user in container is root user in host machine
Refer above hacking example in the challenge section, container should run as non-root user.
Volume mounts
Volume mounts
For application containers with direct Internet exposure, it is important to be extra careful when mounting sensitive host directories (/etc/, /usr/). Any breach can lead to damaging data loss.
So, mount host-sensitive directories as read-only.
Mount propagation
Mount propagation
Mount propagation allows sharing volumes mounted by a Container to other Containers in the same Pod, or even to other Pods on the same node.
For example, HostToContainer mode allows that if the host mounts anything inside the volume mount, the Container will see it mounted there. Bidirectional allows both way (Host and container)This will allow security hack by reading data by unwanted container.
So, scan all containers and ensure that containers has been used properly.
Privileged containers
Privileged containers
Privileged containers can do almost anything a host can do. Note that it runs with all capabilities
So, use capabilities to grant fine-grained privileges instead.
Binding privileged ports
Binding privileged ports
By default, Docker allows binding privileged ports (<1024) to a container. A malicious container can redirect host traffic to within container.
It could be needed since a http server running as container will need to map port-80
So, Scan all containers and their port mappings. Allow port mapping only if needed.
Exposing ports
Exposing ports
A open port in the container increases attack surface.
Ensure that there are no unnecessary ports exposed.
Denial of service
Denial of service
A malicious container can take all CPU and memory by default.
To avoid DoS attack, limit the system resources (CPU, RAM, storage) available for a specific container.
Reference
Reference
https://ericchiang.github.io/post/containers-from-scratch/
https://www.stackrox.com/post/2017/08/hardening-docker-containers-and-hosts-against-vulnerabilities-a-security-toolkit/
https://coreos.com/os/docs/latest/hardening-guide.html
https://sites.google.com/site/jbsakabffoi12449ujkn/home/secure-the-digital-world/risk-with-root-user-in-container
https://www.secjuice.com/how-to-harden-docker-containers/
https://docs.docker.com/engine/security/non-events/
https://www.projectcalico.org
Page updated
Google Sites
Report abuse