If you are thinking of deploying applications in containers and using a container orchestration platform like Kubernetes, you must consider security. Smaller and simpler apps will reduce your development, testing, and maintenance costs – but security can be more challenging when compared with deploying in VMs.
A distributed system with multiple containers and endpoints all communicating with each other significantly increases the number of vulnerabilities. You must prioritize securing your entire container ecosystem to reduce your risk exposure.
Container Security Focus Areas
When securing containers, you should focus on the following.
- Container host security. The health of your containers depends on the strength of security in your central host system. You must prioritize securing the container host.
- Container management security. Container security also depends on your container ecosystem, including logging, load balancing, testing, and monitoring systems. You must secure your whole container management stack.
- Network traffic security. Distributed systems increase traffic flow across the network of containers. You must secure this traffic flow.
- Application security. The applications you deploy in containers expose more endpoints than applications in VMs, making them more vulnerable. You must secure your applications against Layer 7 threats.
- User Security. You must identify and block malicious user behavior in your application.
- Secure Application Architecture. While we won’t detail this in this article, you should follow best practices for designing and coding secure apps.
- Secure Build Pipeline. Your build pipeline for automatically deploying code can also expose security flaws. You must audit your pipeline and address any vulnerabilities.
Container Security Challenges
Maintaining security in a container deployment can be difficult because of the following challenges.
- Open source code. Open source code is convenient, but it poses a security threat if left unchecked.
- Fast development. Organizations that prioritize fast development and delivery often do so at the expense of proper security procedures.
- Diverse tools. Teams using more tools and services face growing complexity in keeping everything patched and updated.
- Unclear responsibilities. Organizations deploying containerized apps in multiple cloud environments with different owners face confusion over who is responsible for maintaining security through development, testing, and production.
To overcome these challenges and enforce security on containerized apps in Kubernetes, DevOps teams must also prepare for additional complexity and time-consuming planning and execution. This guide will help you navigate through this complexity and help you secure your container environment faster.
Write Clean Code
It should perhaps go without saying that any application's security depends on the security of the code itself.
Teams building and deploying containerized applications fast often compromise code quality and security by using unchecked open-source software and third-party tools.
Keep Secrets Secret
You cannot afford to expose your organization’s secrets. To keep your secrets secret, avoid writing secrets into the code or in a config file pushed into a repository.
You can use tools like Git Secrets to prevent you from committing passwords and other sensitive information to a Git repository.
Store sensitive information in a secure location, such as a dedicated Secrets Manager. Rotate your secrets to add extra anonymity. Configure applications to call the Secrets Manager and access secrets only when needed, without the applications knowing the details of secret information.
Secure Your Pipeline
Secure containers and thorough testing count for little if your pipeline is not secure. Follow these guidelines to secure your pipeline.
- Enforce access control to limit the people and applications that can change anything in your pipeline configuration and process.
- Use the principle of least privilege to ensure you limit access as much as possible.
- Use infrastructure as code (IaC) to automate container security on deployment. This helps prevent human error or malicious behavior.
- Scan your IaC templates before deploying to identify unexpected configuration changes.
Use Hardened Container Images
Container images are not secure enough for our purposes without first going through a hardening process. You should only use hardened container images as base templates for application development.
Hardening helps limit the potential for weaknesses and vulnerabilities to spread throughout your development and deployment processes. By building pipelines with hardened images, you provide all your internal teams with standardized base images that are already secure.
Hardening a Docker image involves:
- scanning it for vulnerabilities
- building a new image with additional mitigating protections
- using that version as the base for your application.
You can simplify the hardening process by using hardened images for container operating systems from organizations like the Center for Internet Security (CIS). However, you should still validate these pre-hardened images and scan them continuously for any vulnerabilities that might have entered the code.
You can continue to scan your hardened base images while you build for additional insights into the current status of your container security. Continuous scanning helps you to identify and fix any new vulnerabilities early.
A reoccurring theme — the earlier you catch a potential problem, the better.
Secure Public Images
Many DevOps teams find it convenient to use existing container images from public sources such as Docker Hub because this is faster than creating new images internally. Public sources can include container images for nearly every operating system and platform, and for many common use cases. However, the majority of public sourced containers are insecure and present a risk to the security of your container ecosystem.
For example, Docker Hub does not scan container images for vulnerabilities nor does it validate their security in any way.
To ensure that your organization only uses secure images:
- Pull images only from trusted sources
- Scan and validate their security
- Store them in your secure private repository
- Enforce access control to limit repository access to those team members who need it
- Do not run your container images as root, otherwise, anyone with access can do anything they want.
These principles apply to securing your artifacts as well as your containers. Store them in a secure private repository and only use packages validated by the security team.
Test Containers Throughout Your Pipeline
Continuously test the security of your containers and applications throughout your pipeline because they are the foundation for your code and deployment.
- Scan your container images to identify software vulnerabilities and images that have not been maintained well.
- Use static application security testing (SAST) tools to analyze source code or compiled code.
- Use dynamic application security testing (DAST) tools to auto-scan web applications from the outside to identify vulnerabilities such as SQL injection, command injection, or insecure server configuration. You will usually perform DAST after deploying your application to a staging environment.
Ensure Observability In Production
Monitoring container security in production is one of the most significant challenges to ensuring the security of your container ecosystem.
Security teams can find it difficult to monitor containers and track changes because:
- Containers are ephemeral – meaning they are created and destroyed quickly with no permanence. Complex systems with high churn make the challenge even bigger.
- Containers share resources such as memory and CPU across one or more hosts. This makes it challenging to monitor resource consumption on the physical host and track container performance or application health accurately.
Use appropriate tooling to ensure full observability of your container deployment in production. Choose a solution that has:
- Native support for containers and your preferred orchestration platform, such as Kubernetes
- Native service discovery and the ability to collect data from newly created containers automatically
- A model than understands the structure of containers and clusters
- Support for multiple clouds, platforms, and other backend infrastructure
- Layer 7 monitoring and health checks
- API for triggering automation in response to errors and alerts.
Securing your containers and platforms such as Kubernetes can be complex. However, with the correct procedures and tooling, you can reduce your exposure to risk significantly.
A secure container ecosystem is well worth the effort because it will provide a firm foundation allowing you to take advantage of the opportunities presented by containers and Kubernetes without compromise.