Insecure container configuration |
- Be careful with volume mounts (Everything is a file: /proc)
- Running at root
- Privileged
|
|
Don't run as the root user |
- By default, Docker containers run as the root user and group.
- This can lead to issues where the root user can be used as part of a container breakout to the host.
|
- K8s Security Scan
- Use a SecurityContext
- Monitor K8s metadata
|
Don't run as privileged |
- Docker containers can optionally be run with the --privileged flag to give them additional access to the file system and the host machine. This is very dangerous and should be avoided in almost all circumstances.
|
- K8s Security Scan
- Monitor K8s metadata
|
Drop capabilities where possible |
- In additional to sudo, Linux has slightly more fine grained privileges that can be applied call 'capabilities'.
- If they are not required, they can be dropped from a service, further reducing the scope of a service's abilities.
- This doesn't work with ambient capabilities
|
- Secure computing mode (seccomp) is a Linux kernel feature. You can use it to restrict the actions available within the container.
- It can add restrictions on a syscall by sycall basis.
- Unfortunately, the process of identifying the syscalls that a service needs is very manual and time consuming, and prone to errors and changes as a service is updated.
- AppArmor
|
Read only filesystem where possible |
- A lot of services do not need to write to the filesystem in order to operate, for example if they simply process network requests and write their results to a database.
- In the event of a container compromise, making the filesystem read only would prevent an attacker from being able to download any tools or exfiltrating data a temporary location in the container before extraction.
|
- Use a SecurityContext
- Monitor K8s metadata
|
Resource limits |
- Due to the risk of resource exhaustion, either from a malfunctioning service or from deliberate misuse, containers should be given resource limits so that they don't overwhelm the host system's resources
|
- Apply reousrce limits
- Note: due to performance issues, it is not recommended to set a CPU limit, only a memory limit.
|
Use a SecurityContext |
- SecurityContexts can be used "to define privilege and access control settings for a pod or container"
|
- runAsUser, runAsGroup, runAsNonRoot, allowPrivilegeEscalation, capabilities, readOnlyRootFileSystem
|
Audit instrumentation |
|
- Go Audit / auditd / auditbeat
|