To secure Docker:
Create a private registry with verified images to mitigate tampering, EoP, information disclosure threats.
Run minimal images to reduce the attack surface of potential attacks by minimizing the number of binaries and services running in containers to mitigate the EoP threat.
Use read-only filesystems to mitigate tampering threat and indirectly EoP by preventing from storing malicious code in containers.
Limit kernel calls that a container can make to reduce the attack surface of potential attacks. Use SELinux or seccomp to mitigate the EoP threat.
Restrict networking so only linked containers can communicate to reduce
the attack surface. Use --icc=false
and --iptables
flags when
starting the Docker daemon.
Limit memory and CPU resources allocated to a container to prevent DoS attacks where one container takes all the resources and stops other containers from running.
Disable kernel capabilities using the Docker CLI and JSON file. Follow the principle of least privilege and enable only needed functionality to minimize the attack surface.
Do not run containers as root except of systemd
to mitigate the EoP
threat.
Do not run a container with the --privileged
flag unless you need
access to host hardware.
Use –security-opt
instead of the --privileged
flag to assign the
appropriate SELinux/AppArmor security profile to limit the permissions
following the principle of least privilege.
Enable encryption for communication between etcd
and other services.