Docker and Kubernetes Security: Principles & Practices

Security is a serious issue when it comes to Docker containers setup in a single host or a multi-host cluster environment with orchestration system tools like kubernetes. As per latest survey, more than 80% of Enterprises are using or planning to use Docker in their IT environments. So adoption of public cloud based Docker Container technologies growing rapidly due to huge cost saving while reducing time to market with Cloud Data Center Infrastructure footprints. 

Basic Fundamentals: Docker works with the below fundamental components.

cgroups (Control groups): It is a kernel feature to constrain the resource usage of a process or a set of processes. This provides Docker with 4 main features: Limit resources, Prioritize resources, Measure resource usage and control a group of processes.

Namespaces: Namespaces is a kernel feature that provides lightweight process virtualization to containers. This helps Docker to isolate these resources for a container – process IDs, hostnames, user IDs, network access, IPC and filesystems.  Namespaces allow to provide a "view" to the process that hides everything outside of those namespaces, thus giving it its own environment to run , processes can't see or interfere with other processes.

Docker images: These are read-only templates and each image consists of series of layers. Docker use union file system to combile layers into single image. Every image starts from base image.

Docker Host: Docker host is the server (host/machine) on which Docker daemon runs and a host can be Bare metal, VM image, ISO, image hosted on cloud etc. 

Docker Filesystem: Typical Linux system needs two filesystems: Boot file system(bootfs) and Root file system(rootfs). Docker users by default Another Unionfs (AUFS-copy on write file system).

Docker Container: Docker Containers launched from docker image. Container consists of OS, User-added files, Meta-data. When Docker container runs, it adds a read-write layer on top of the image.

Docker Daemon: The docker daemon(/usr/bin/docker) is responsible for managing the kernel functions(cgroups & orchestrating the namespaces).

Dockerfile: A configuration file with build instructions for Docker images. Dockerfiles provide a way to automate, reuse, and share build procedures.

Docker Store / Registry : Registry is a collection of repositories + indexes + access control rules + API used by Docker clients to obtain the images from their respectful repositories. Some of the popular container registries are Docker Hub, ECR , JFrog Artifactory and Google Container Registry or any other registry.

Secure Computing Mode (SECCOMP): It provides a facility to place filters on the system calls available to a user-defined process. When enabling seccomp the process enters a “secure mode” limited with very small number of system calls. 

AppArmor: It is a Mandatory Access Control (MAC) tool to restrict programs to a limited set of resources. Restriction policies are set in a simple text file to administer storage, networking, capabilities of a program.

Capabilities: This allows a thread/process to perform some privileged operation with a minimal set of capabilities but without assuming superuser permissions.

Container Security Best Practices 

Container Image Security: Images are the basic building blocks for containers which are downloadable from Docker hub/Registry or Developers can create their own images. Image Security includes image signing, vulnerability scanning and content trust. Developers must ensure image signing, verification, enable Content Trust and always run security checks as part of CI/CD. Developers should not reply on generic OS specific distribution images for production deployments. The best practice to consider only pull / run images from trusted container registries and signed images should be promoted into production registries. 

Container Run time Security & Monitoring: Docker Containers share the host OS kernel during runtime that makes exceptionally lightweight and very fast to start. Run-time security includes use SECCOMP to limit syscalls. Developers need to run containers as read-only as much as possible, use tools to monitor and do not put applications into default namespace. Everything a Docker container runs must be declared and included in the static container image.

Docker Host & Daemon Security: Docker security starts at the host layer and If the attackers are able to compromise the host OS then they could potentially compromise all processes on this OS including Docker. So the best practices is to protecting the host OS that needs to be patched time to time and all the software/plug-ins need to be up to date. Always use TLS if we must expose the Docker daemon via network socket 

Docker Network Security: This includes overlay networks, public cloud and encryption. For single node deployments, consider disabling inter-container communication (ICC) rules and whitelist communication explicitly. Use overlay networks to provide additional security and isolation for multi-node deployments. Do not rely on public cloud security rules like security groups to protect containers. Use best tools to get a centralized and abstracted view of container communication. 

Security across DevOps pipeline & DevOps Ecosystem: Users need to consider security across the entire DevOps Pipeline rather than only focus on the deployment of containers with Kubernetes. Developers can do continuous vulnerability detection and remediation in the DevOps pipeline by deploying plugins for CI/CD tools like Jenkins or Bamboo, or via REST APIs. All the developers, DevOps architects ensure that the vulnerability scanning and security assessment function is integrated with the organization’s continuous integration/continuous deployment (CI/CD) pipeline.

Kubernetes Security Principles and Best Practices:

Kubernetes Four Security Principles and Best Practices:

1) Authentication and Authorization: Securing access to the Kubernetes API server is one of the first priorities of a secure Kubernetes environment due to Kubernetes APIs are the central interfaces for adminis, users and applications. So controlling API access is the core task of authentication & authorization.There are various authentication methods in kubernetes like Client Certificate, Token based, HTTP based Authentication and Attribute Based Access Control (ABAC). It is essential to configure role-based access control (RBAC) for Docker container stack. We can also use Active Directory to manage the access and permission for applications across the organization. 

2) Resource Isolation: By default every container within a Kubernetes cluster may be reached by another container in the same cluster. Isolation layer not only prevents DDOS (denial-of-service attacks) but also provides privacy and data protection. The Kubernetes platform provides isolation mechanisms for a number of resource types like pods and namespaces. 

3) Network security: Could vendors use NACL ( Network Access control lists) & Security Groups in a single-tenant model So users can provide extra security features like Web Application Firewalls and API Gateways for their application. In a multi-tenant environment kuberentes can handle networking plugins like SDN, OVS (Open vSwitch).

4) Monitoring and auditing:

Datadog, Cloudwatch, ELK Stack: Continuously monitoring both our application logs and cluster logs using these type of tools. We can also leverage ELK stack (ElasticSearch, Logstash and Kibana).  

Kube-bench or OpenSCAP : Use similar kind of tools to checks whether Kubernetes is deployed securely by running the checks documented in the CIS Benchmark for Kubernetes.