Docker / Container Security

1. Containerized Micro-services makes traffic patterns between given pairs of Containers more tightly defined

2. It is easier and safer to deploy patches/upgrades in containerized environment than in traditional OS-on-VM environment

3. Security Controls

3.1. Linux "cgroups"

3.2. Use "namespaces" to isolate Contains and their Host OS

3.3. Restrict which Image Registry can be used

3.4. Docker Socket can be used to "escape" the Container

3.5. Restrict running Containers with "-privileged' flag

3.6. Do not expose Docker remote REST API

3.7. Secure the Host OS

3.8. Use Istio for Access Control

3.9. Do not store secrets or API Keys in environment variables

3.10. Break privileges into capabilities

4. Security Tools

4.1. Security Assessment

4.1.1. Clair

4.1.2. Docker Bench

4.2. Security Enforcement

4.2.1. App Armor

4.2.2. Secomp

5. Incomplete segregation between Containers and Host OS, comparing to VMs

6. Container Images may pack in Malicious Codes and/or Vulnerable Libraries

7. Persistent Storage lives beyond the Container it mounts on

7.1. Deleting a Container will not delete its mounted volumes

7.2. Volume mounted on one Container (deleted or not) can be mounted on another Container.

8. Docker Daemon requires root privileges to function