6 Security Tips When Using Containers

According to the official docker page, the definition of a container is:

“A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another”

In other words, you run your application in an isolated box and it can be replicated in different places and replicated many times you need (a.k.a scaling horizontally).

Container avoids to expose your infrastructure and sensitive configurations because if your application was hacked, in theory, you are protected. After all, the hacker can’t access other containers either your host server.”

However, when you only use containers for your infrastructure it’s not 100% safe from external invasion. Here are some rules to follow when using containers in your projects:

 1. Audit external base images

When we use docker images to host javascript applications most of us use node.js from Docker Hub, but can you imagine if someone releases a new update with something that might impact the security of your project? In order to avoid this, you can use a private repositories like AWS ECR, Azure Docker Registry, or Github Registry, instead of consuming from Docker Hub all applications will consume a trustable base image.

 2. Avoid using ROOT commands

By using a docker like Linux OS, you can run some commands using sudo or login as a root user, both of these ways are going to grant you super admin privileges. This way, the attacker can access your host or compromise your infrastructure.

3. Update your images and Host server

Don’t forget to update your docker images. In your Host OS, it’s quite common for all tools to release security patches, it’s important to have this be part of your routine in order to keep your environment safe.

4. Configure quotas

When you are handling Kubernetes, Docker-compose, or Docker-swarm, there are some options you can configure in your YAML manifest, to define resource quotas, like, the limit for specific container consumption of memory or CPU. If you don’t define this and you have a memory leak problem, it will impact all environments (in this scenario, all applications are being hosted in the same host server)

 5. Monitor your network traffic

Using a microservices architecture is pretty common for each application in order to send a HTTP requests. Make sure that all application are using an internal network instead of using an internet network to communicate with each other. In case you need to receive an external request, use an api gateway to validate it, don’t trust anything that comes from internet.

 6. Scan your images

There are tools to help sys admin and developers to check for vulnerabilities. My favorite is Quay Clair . Clair is a static analysis of vulnerabilities. It’s also is an open-source project and very user friendly.

Conclusion

Using containers requires some knowledge to keep everything safe and fast, never underestimate security for your applications, because after you’ve been hacked, the price to solve it will be very expensive.

Written by Lucas Rodrigues