Docker & Kubernetes Security: Protecting Containers

Key Takeaways

Isolation is not perfect: A Docker container shares the Kernel with the host. If the Kernel has a bug, the container can be escaped.
Scan your images: Don't just `docker pull node`. That image might contain malware. Use tools like basic clair or snyk.
Kubernetes Secrets: Never store passwords in environment variables. Use K8s Secrets (and encrypt them effectively).

Modern apps are built on microservices packaged in containers. This makes them portable, but it also creates thousands of moving parts to secure.

Docker Security Basics

1. Don't run as Root: By default, processes inside Docker run as root. If a hacker breaks out of the container, they are root on your server. Always use `USER nonroot` in your Dockerfile.

2. Distroless Images: Use minimal images (like Alpine or Google Distroless) that don't even have a shell (`/bin/bash`). If a hacker gets in, they can't run commands because there is no terminal.

Kubernetes (K8s) Security

K8s orchestrates your containers. It is complex.

RBAC (Role-Based Access Control): Ensure developers can only deploy to their namespace, not delete the production cluster.
Network Policies: By default, all pods can talk to all pods. This is bad. Block all traffic and only allow the Web Pod to talk to the DB Pod.

The Supply Chain Attack

Hackers are uploading malicious images to Docker Hub that look like popular libraries. If you pull `pythn` instead of `python` (typo-squatting), you are installing a backdoor. Always verify the publisher.

Frequently Asked Questions (FAQ)

What is a Container Escape?

It's when code running inside the container exploits a vulnerability to gain access to the Host OS. e.g., The "Dirty Cow" exploit.

Is Kubernetes secure by default?

No. It is designed for openness and ease of use. You must manually harden it (using benchmarks like CIS Kubernetes Benchmark).

Secure the underlying server.
Read Server Hardening