Create a private registry with verified images to mitigate tampering,
EoP, information disclosure threats.
Run minimal images to reduce the attack surface of potential attacks
by minimizing the number of binaries and services running in containers
to mitigate the EoP threat.
Use read-only filesystems to mitigate tampering threat and indirectly
EoP by preventing from storing malicious code in containers.
Limit kernel calls that a container can make to reduce the attack
surface of potential attacks. Use SELinux or seccomp to mitigate the EoP
threat.
Restrict networking so only linked containers can communicate to reduce
the attack surface. Use --icc=false and --iptables flags when
starting the Docker daemon.
Limit memory and CPU resources allocated to a container to prevent DoS
attacks where one container takes all the resources and stops other
containers from running.
Disable kernel capabilities using the Docker CLI and JSON file. Follow the
principle of least privilege and enable only needed functionality to minimize
the attack surface.
Do not run containers as root except of systemd to mitigate the EoP
threat.
Do not run a container with the --privileged flag unless you need
access to host hardware.
Use –security-opt instead of the --privileged flag to assign the
appropriate SELinux/AppArmor security profile to limit the permissions
following the principle of least privilege.
Enable encryption for communication between etcd and other services.