Hardening the security of your docker environment
Last month, I was opportune to be in an online training where the instructor was providing insight on how we can improve the security of our docker environments. I will be sharing a brief on the top 7 tips that was discussed during the training:
Do not install docker on a complete operating system, especially when such an OS is only being used to host and run docker. Rather, reduce the attack surface by using a minimalist distro/OS such as Clear Linux Core, Ubuntu Core
The host operating system where docker is installed should have all its components updated regularly
There are known vulnerabilities for docker containers, as well as OS. These are published in vulnerability databases, such as cvedetails.com. When you visit the site, search for docker and check to see if your installment is affected by the exposure.
Docker SHOULD always be set to run as an underprivileged user. Even when privileges are needed, there are ways around it. (this point will probably constituent another post, as there are specialized ways of verifying and setting this up)
Drop all capabilities for your docker containers, except the ones that are explicitly needed (follow the hyperlink to read more about capabilities in Linux environment)
In terms of network communication, the default setting of containers being able to talk to each other is turned off, except for specific containers that needs to have access to each other.
Use docker-bench-security tool to ensure that best practices is being followed, and make sure auditing is turned on for docker actions.