A little bit of background:
Container Security can be distinguished into container images and container runtime.
-Container images are static blueprints or templates used to generate containers. This includes the application, libraries, and all dependencies required to run an application.
-Container runtime, on the other hand, refers to running the actual container on a platform as Kubernetes.
Now that this distinction is clarified, let’s start with the first best practice to optimize your container security.
Best practice 1: Check your container ‘image security’
The ‘base image’ stands as the primary shield in container security. Opt for trusted, minimal ‘base images’ for your containers. For instance, those images offered by Ubuntu, Debian etc. These images get regular updates and patches and on top of that, minimal ‘base images’ are basic: they only contain the necessities to run your application and nothing other than that. Since it does just the essential, with fewer components and therefore fewer vulnerabilities, it helps to keep your container security on point.
Best practice 2: Scan images in your CI/CD Pipelines
To ensure the security of container images, integrate vulnerability scanning into your Continuous Integration / Continuous Deployment (CI/CD) pipeline. This process enables early detection of potential vulnerabilities in your container images during the build phase, reducing the likelihood of deploying insecure containers. Tools like Clair, Trivy, and Docker's native scanner provide image-scanning capabilities that identify security flaws within the image layers and dependencies.
Best practice 3: Choose your container registry
A container registry is a repository to store your container images. Although plenty of different repositories are available, we recommend you to use a container registry with built-in security features. Azure Container Registry, for instance, offers security features to automatically scan for vulnerabilities, deploy images, and build and patch. It also provides private access and separates your network. You can use these features to connect Azure Container Registry to a service like Azure Kubernetes Services.
Best practice 4: Secure by runtime Security
Container image security focuses on the build phase. Runtime security involves securing containers when they are, you guessed it, running. Runtime security consists of monitoring the running container's behavior and detecting/responding to anomalous activities of a potential attack.
Best practice 5: Use container orchestration technology
In complex environments, orchestration tools like Kubernetes are essential. Kubernetes manage the lifecycle of containers, from deployment to scaling and networking. Azure Kubernetes Service (AKS) is our suggested solution on Microsoft Azure. A crucial part of AKS security is configuring Pod Security Admission (PSA).
Pod Security Admission is a built-in admission controller in Kubernetes that evaluates pod specifications against a predefined set of Pod Security Standards. It determines whether to admit or deny the pod from running. It provides the ability to enforce, warn, and generate audit events for pods violating the security profiles. Pod Security Admission applies security rules to pods running in a namespace. The Kubernetes Pod Security Standards define different isolation levels for Pods.
These standards let you define how you want to restrict the behavior of pods in a clear, consistent fashion. Kubernetes offers a built-in Pod Security admission controller to enforce the Pod Security Standards from Kubernetes 1.23.
Take away:
The above-mentioned best practices will help you to be better secured: every best practices contributes to a more secure containerized solution. While it remains a challenge to get your security optimal, awareness is possible attack options early on is one of the most important first steps.