Hey Devs and Container Ninjas!
Docker makes life easier, but let's face it, it also introduces a whole new set of security considerations. Whether you're spinning up side projects or running production clusters, security can't be an afterthought.
To help you stay safe without getting bogged down in docs, here's a clear, friendly Docker Security Checklist. Run through this list every time you build, deploy, or review your containers. Your future self (and your infra team) will thank you!
π Host & Docker Hygiene
- Keep your OS and Docker Engine updated.
- Patch your host OS and Docker regularly to prevent container escape exploits like Dirty COW or Leaky Vessels.
π Docker Daemon Safety
- Never expose the Docker socket (/var/run/docker.sock) to containers.
- Doing this is like giving containers root access to your machine.
- Don't expose the Docker daemon over TCP without TLS.
- If you must, secure it properly using certificates.
π€ Container User Practices
- Run containers as a non-root user.
- Use the -u flag, define a user in the Dockerfile, or enable user namespaces (--userns-remap).
- Avoid --privileged mode unless absolutely necessary.
- It grants all capabilities and bypasses most isolation features.
βοΈ Capability Management
- Drop all capabilities, then add only what's needed.
- Use --cap-drop ALL and selectively --cap-add what your app truly needs.
- In Kubernetes: Set capabilities in the securityContext.
π« Prevent Escalation
- Use --security-opt=no-new-privileges.
- This blocks containers from gaining more privileges via setuid/setgid binaries.
- In Kubernetes: Set allowPrivilegeEscalation: false.
π Network Isolation
- Avoid default inter-container communication.
- Use custom Docker networks for specific container groups.
- In Kubernetes: Apply Network Policies to control pod communication.
π‘ Security Modules
- Enable and enforce AppArmor, SELinux, or Seccomp profiles.
- Don't disable the default security profileβit's there for a reason!
π§ Resource Limits
- Set CPU and memory limits.
- Limit the number of file descriptors and processes.
- Control container restarts with restart policies.
- This prevents accidental (or malicious) resource hogging.
π Filesystem Best Practices
- Use read-only root filesystem (--read-only).
- Mount volumes as read-only (:ro).
- Use --tmpfs for writable temp directories.
π CI/CD Integration
- Scan images as part of your CI/CD pipeline.
- Use tools like Trivy, Snyk, or Clair to catch vulnerabilities early.
- Lint Dockerfiles and enforce best practices.
- Avoid ADD, pin versions, and never curl bash blindly.
π§Ύ Logging
- Keep Docker daemon log level at info.
- It captures useful operational data without being too noisy.
𧱠Rootless Docker (Advanced)
- Run Docker in rootless mode if possible.
- This drastically reduces the attack surface, especially on shared hosts.
π Secret Management
- Use Docker Secrets to handle sensitive data.
- Don't hardcode secrets in your images or environment variables.
- In Kubernetes: Use encrypted secrets and consider tools like Vault or Sealed Secrets.
π Supply Chain Security
- Use image signing and SBOMs (Software Bill of Materials).
- Store images in a trusted, private registry.
- Verify image provenance before deployment.
π§ͺ Bonus: Consider Podman
- Use Podman for a more secure, daemonless container runtime.
- It supports rootless containers out of the box and integrates well with SELinux.
Final Thoughts
Security isn't about doing everything perfectlyβit's about doing the basics consistently and reducing risk wherever you can. This checklist gives you a solid foundation for running containers securely, whether in development, staging, or production.
Feel free to bookmark this page or print it out as part of your deployment rituals.
Happy (and secure) containerizing! π³π