Docker / Container Security
by mingwen yang
1. Containerized Micro-services makes traffic patterns between given pairs of Containers more tightly defined
2. It is easier and safer to deploy patches/upgrades in containerized environment than in traditional OS-on-VM environment
3. Security Controls
3.1. Linux "cgroups"
3.2. Use "namespaces" to isolate Contains and their Host OS
3.3. Restrict which Image Registry can be used
3.4. Docker Socket can be used to "escape" the Container
3.5. Restrict running Containers with "-privileged' flag
3.6. Do not expose Docker remote REST API
3.7. Secure the Host OS
3.8. Use Istio for Access Control
3.9. Do not store secrets or API Keys in environment variables
3.10. Break privileges into capabilities
4. Security Tools
4.1. Security Assessment
4.1.1. Clair
4.1.2. Docker Bench
4.2. Security Enforcement
4.2.1. App Armor
4.2.2. Secomp