You are currently viewing Security Best Practices for Dockers and Kubernetes environment

Security Best Practices for Dockers and Kubernetes environment

Security for your containerized applications in the cloud & hybrid environment.

Docker containerization has become increasingly popular due to easy developments and agility. In this article I have covered critical security risks associated with Kubernetes & Docker container environment with common vulnerabilities & the potential impact of those risks on containerized deployments.

The terms ‘application container’ or simply ‘container’ is frequently used to refer to these technologies.

Docker is one of the most widely used containerization platform for developing, shipping, running applications. It run your application in almost any environment in flexible and trivial way. Docker enables customers to deploy traditional applications and the latest microservices anywhere.

Kubernetes which is also known as K8s, is a portable, extensible open-source system for automating deployment, scaling, and management of containerized applications. Kubernetes has emerged as a powerful platform for managing and deploying software applications. It supports various container runtimes like, Dockers, containers, CRI-O, azure container etc. Its popularity has grown tremendously in recent years. I have covered the risks and how to address them with essential measures to secure your containerized deployments.

Host OS Vulnerabilities

Since many applications are used opensource platform like Linux OS, the Linux kernel older than 2018 contains privilege escalation vulnerabilities. Attacker may exploit these vulnerabilities in host OS kernel and gain access to the container and application running inside them. One well known method is “reverse shell” on Apache web server running in the container. This has mainly occurred due to weak access control, exploit kits & malware.

How to prevent?

Implement access & security controls, patching & vulnerability management of OS, IDS firewalls

Utilize a container-native security solution like red hat quay that can monitor the container environment and provide precise detection of anomalous and malicious activity within it.

Insecure Container Images

Hacker can compromise the container OS images & use as vector of attack to gain access to your applications & data. Main reason is that the image source is untrusted which causing infected or corrupt image to be downloaded.

You need to ensure that the container image is from valid source, and you use image scanning for malicious code and signature validation for trusted image source.

How to prevent?

Practice using container registry to store and access container images. This registry provides transparency and traceability to track origin of the images. For e.g Docker hub, Amazon ECR, Microsoft AKS, GitHub, JFrog etc.

To reduce attack surface area, use images with only necessary libraries and components in the base image.  

Implement a process for regular update and patching of the container images.

Insecure Container Configuration

Insecure configuration can be exploited by attackers and steal data if your containers are misconfigured or configured as basic or default.NGINX. By default, a Linux container runs with all capabilities, which may not be required for particular application. You need to restrict the container with minimal permission that needs to perform its operation and not require root access.

How to prevent?

Use configuration manager tool to maintain consistency across your environment. This ensure that the containers are compliant with your organizations compliance and security policies.

Implement runtime security such as network segmentation & process isolation.

Limit the process running with root privilege. With Linux capabilities you can add or remove specific container requirement depending on your security polices evaluation.

Container Escape Vulnerabilities

Like vulnerabilities in Host OS can lead to gain container access, containers vulnerabilities can be exploited to gain host system to potentially disrupt/ destruct the entire system.

By default, container don’t access to the host system. But in certain cases, the container require access to specific devices like storage access. It is must to configure only those containers to use privilege escalation and not the root access providing.

How to prevent?

Implement runtime security such as network segmentation & process isolation which make attacker difficult to access to the container you can prevent compromising your application and data.

Update host and container OS updated regularly. Conduct regular security assessments to identify vulnerabilities.

Use tools like Kubernetes or hashiCorp for container orchestration. Kubernetes offers built-in advance security feature which can help you to implement.

Container security is an ongoing process which require regular monitoring & security assessment

Inadequate Process Isolation in Containers

Are you aware that inadequate process isolation will lead to major data breaches?

In containerize application, different containers potentially interacting with each other. If single container get compromise, connected containers and even entire system get compromise & breached. You should implement adequate process isolation to prevent cross-container compromise and protection of your sensitive data.

How to prevent?

Use cgroups to limit the use of resources so that a single container to limit utilizing compute resources like CPU, memory & I/O.

Ensure that you regular monitor, assess and update the process isolation to stay secure.

Use Namespace isolation to isolate network, file system, storage resources of a container.

Use docker command pid option when starting container to isolate the process namespace of the container from host system.

$ docker run –pid=container -my image

This command will start the container and run it in own namespace & restrict process to interact with the processes running inside the host system, preventing cross-container compromise. Use container orchestration platform with built-in security features like AWS EKS, Azure AKS.

Inadequate network segmentation

Inadequate network segmentation can lead to data exfiltration. Absence for network segment allow container are not isolated and the sensitive data from one container can be exfiltrate via another container.

How to prevent?

Use container orchestration platform with built-in security features like Redhat Openshift, Apache Mesos that provide process isolation and advance security for container environment.

Implement suitable VLAN to isolate network traffic of container from each other & host system.

Firewall must be used to control inbound and outbound traffic to & from the container.

Use Network Security Groups use to limit network traffic to the container.

Security of data storage

Insecure data storage in container can lead to data breaches. The unprotected sensitive data stored in the container can be misused seeking financial gain through data theft or ransom. Data such as plain text files or unprotected databases, exposes it to unauthorized extraction or manipulation. The threat agents like malicious insiders or app development team, cyber criminals can exploit vulnerabilities like weak encryption, insufficient data protection, insecure data storage mechanisms, and improper handling of user credentials.

How to prevent?

Encrypt sensitive data in container & on storages like NAS or SAN storage & use adequate access control to limit access based on the roles (RABC).

it is recommended to utilize read-only file systems, whenever possible, to limit the impact of a compromised container on a Kubernetes node. This prevents a malicious process or application from writing back to the host system.

You can use docker command to mount a host directory or volume as data volume inside the container.

$ docker run -v /data:/data -d my-image

This will start container from my-image and mount the host directory /data as volume inside the container. So, in case container get delete the data will “persist” in host directory /data as well. But ensure that the host directory/data, is secure as well from unauthorize access.

Insufficient logging and monitoring of Containers

Inadequate logging and monitoring make it difficult to detect and respond to attacks on your containerize environment & leading to many security incidents. When logs are not captured, stored, or actively monitored there are high chances of attackers to exploit the undetected vulnerabilities of your containerized environment. incident investigation and response will be most difficult in case someone need to trace back the suspicious activities.

How to prevent?

Implement strong monitoring & log collection from host system, orchestration platform and from each container.

Implement centralize logging monitoring tool aggregate and analyze the real-time logs. Use SIEM tool to detect and respond to security incidents.

The orchestration platforms such as AWS EKS, Azure ACS, orGCP GKE provide number of additional logging streams available for consumption. Do enable & use this feature on regular basis.

Use Audit logging feature of Kubernetes that records actions taken by the API for later analysis.

So, in order to have the ability to quickly stop an intrusion, you need to design your APIs and network for easy monitoring with security in mind.

Conclusion

Eliminate the threat before they eliminate you!

The paramount objective of cybersecurity is to safeguard the functionality and integrity of any system or software you construct & run in containerized environment. Awareness of security guidelines and best practices is very important. You need to take a holistic approach to harden the container environment right from host system, storage, network, application & container runtime. This can be accomplished by conducting regular security assessment. With in-depth security & vulnerability assessment you can identify and mitigates weaknesses and misconfiguration proactively.

If you found this article useful and you would like more, please follow us on Instagram, Twitter and Facebook to get notifications about new content.

References

Leave a Reply