How soon we forget: Security in the age of Docker and Kubernetes
- Don't run binaries as root as that creates a privileged user and higher risks. In a Docker container, use the RUN command to create a user & then use the USER command to make it the default user whenever an image is run as a container. For K8s, use the pod and container security context to force containers to run as non-root.
- Run containers with a read-only file system alone. You should not need to write anything more than a temporary file or cache within a container.
- Terminating encryption (SSL/TSL) at the load balancer is another security risk. If using a Kubernetes cluster, move the TLS termination into the cluster and then encrypt all traffic within the cluster.
- Protect your host CPU and memory against DDOS attacks by setting resource limits on your containers.
- Use the Kubernetes network and pod security policies to control the capabilities of containers.
Full post here, 9 mins read