Secure Docker

Secure Docker

To secure Docker:

  • Create a private registry with verified images to mitigate tampering, EoP, information disclosure threats.

  • Run minimal images to reduce the attack surface of potential attacks by minimizing the number of binaries and services running in containers to mitigate the EoP threat.

  • Use read-only filesystems to mitigate tampering threat and indirectly EoP by preventing from storing malicious code in containers.

  • Limit kernel calls that a container can make to reduce the attack surface of potential attacks. Use SELinux or seccomp to mitigate the EoP threat.

  • Restrict networking so only linked containers can communicate to reduce the attack surface. Use --icc=false and --iptables flags when starting the Docker daemon.

  • Limit memory and CPU resources allocated to a container to prevent DoS attacks where one container takes all the resources and stops other containers from running.

  • Disable kernel capabilities using the Docker CLI and JSON file. Follow the principle of least privilege and enable only needed functionality to minimize the attack surface.

  • Do not run containers as root except of systemd to mitigate the EoP threat.

  • Do not run a container with the --privileged flag unless you need access to host hardware.

  • Use –security-opt instead of the --privileged flag to assign the appropriate SELinux/AppArmor security profile to limit the permissions following the principle of least privilege.

  • Enable encryption for communication between etcd and other services.