Falco on Adurhttps://adurrr.github.io/en/tags/falco/Recent content in Falco on AdurHugo -- gohugo.ioenFri, 14 Jul 2023 10:00:00 +0100Container security best practiceshttps://adurrr.github.io/en/p/container-security-best-practices/Fri, 14 Jul 2023 10:00:00 +0100https://adurrr.github.io/en/p/container-security-best-practices/<h2 id="the-attack-surface-of-containers">The Attack Surface of Containers </h2><p>Containers give you process isolation, not security isolation. A misconfigured container can expose the host kernel, leak secrets, or become a pivot point for lateral movement. Understand the attack surface first:</p> <ul> <li><strong>Container images</strong> - Vulnerable libraries, hardcoded credentials, unnecessary tools</li> <li><strong>Container runtime</strong> - Vulnerabilities that allow breakouts</li> <li><strong>Orchestrator misconfigurations</strong> (Kubernetes RBAC, network policies) - Expose services, grant excessive permissions</li> <li><strong>Supply chain</strong> - Compromised base images or dependencies</li> <li><strong>Secrets</strong> - Baked into images or environment variables that any process can access</li> </ul> <p>Security requires defense in depth across the entire lifecycle: build, ship, run.</p> <h2 id="image-security">Image security </h2><h3 id="use-minimal-base-images">Use minimal base images </h3><p>Every additional package in a container image is a potential vulnerability. Prefer minimal base images:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Prefer distroless or Alpine over full distributions</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">gcr.io/distroless/static-debian11</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="c"># or</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">alpine:3.18</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>Distroless images</strong> contain only your application and its runtime dependencies &mdash; no shell, no package manager, no unnecessary binaries. This dramatically reduces the attack surface.</p> <h3 id="multi-stage-builds">Multi-stage builds </h3><p>Multi-stage builds let you compile in one stage and copy only the final artifact to a minimal runtime image:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Build stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">golang:1.21</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> go.mod go.sum ./<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> go mod download<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> . .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> <span class="nv">CGO_ENABLED</span><span class="o">=</span><span class="m">0</span> go build -o /app/server<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="c"># Runtime stage</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">gcr.io/distroless/static-debian11</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>builder /app/server /server<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">nonroot:nonroot</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENTRYPOINT</span> <span class="p">[</span><span class="s2">&#34;/server&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>The build tools, source code, and intermediate files never make it into the final image.</p> <h3 id="never-run-as-root">Never run as root </h3><p>Running containers as root means a container escape gives the attacker root on the host. Always specify a non-root user:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># Create a non-root user</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> addgroup -S appgroup <span class="o">&amp;&amp;</span> adduser -S appuser -G appgroup<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">appuser</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>In Kubernetes, enforce this with Pod Security Standards (more on this below).</p> <h3 id="secure-vs-insecure-dockerfile-comparison">Secure vs. insecure Dockerfile comparison </h3><p>Here is a side-by-side comparison of common mistakes versus secure practices:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># INSECURE - Do NOT do this</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">ubuntu:latest</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> apt-get update <span class="o">&amp;&amp;</span> apt-get install -y curl wget vim<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> . /app<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> <span class="nb">echo</span> <span class="s2">&#34;DB_PASSWORD=supersecret&#34;</span> &gt; /app/.env<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">EXPOSE</span><span class="w"> </span><span class="s">22</span> <span class="m">80</span> <span class="m">443</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">root</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">CMD</span> <span class="p">[</span><span class="s2">&#34;python3&#34;</span><span class="p">,</span> <span class="s2">&#34;/app/main.py&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="c"># SECURE - Follow this pattern</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">python:3.11-slim</span><span class="w"> </span><span class="k">AS</span><span class="w"> </span><span class="s">builder</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> requirements.txt .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> pip install --no-cache-dir --user -r requirements.txt<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">python:3.11-slim</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> groupadd -r appgroup <span class="o">&amp;&amp;</span> useradd -r -g appgroup appuser<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">WORKDIR</span><span class="w"> </span><span class="s">/app</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --from<span class="o">=</span>builder /root/.local /home/appuser/.local<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> --chown<span class="o">=</span>appuser:appgroup . .<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">ENV</span> <span class="nv">PATH</span><span class="o">=</span>/home/appuser/.local/bin:<span class="nv">$PATH</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">EXPOSE</span><span class="w"> </span><span class="s">8080</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">USER</span><span class="w"> </span><span class="s">appuser</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">HEALTHCHECK</span> --interval<span class="o">=</span>30s --timeout<span class="o">=</span>3s <span class="k">CMD</span> curl -f http://localhost:8080/health <span class="o">||</span> <span class="nb">exit</span> <span class="m">1</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">CMD</span> <span class="p">[</span><span class="s2">&#34;python3&#34;</span><span class="p">,</span> <span class="s2">&#34;main.py&#34;</span><span class="p">]</span><span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Key differences: minimal base image, multi-stage build, no secrets in the image, non-root user, only necessary ports exposed, health check included.</p> <h2 id="image-scanning-with-trivy">Image scanning with Trivy </h2><p>Trivy is an open-source vulnerability scanner that checks container images, filesystems, and IaC configurations. Integrate it into your CI pipeline to catch vulnerabilities before deployment.</p> <h3 id="basic-image-scan">Basic image scan </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scan an image for vulnerabilities</span> </span></span><span class="line"><span class="cl">trivy image python:3.11-slim </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan with severity filter</span> </span></span><span class="line"><span class="cl">trivy image --severity HIGH,CRITICAL myapp:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Fail CI if critical vulnerabilities are found</span> </span></span><span class="line"><span class="cl">trivy image --exit-code <span class="m">1</span> --severity CRITICAL myapp:latest </span></span></code></pre></td></tr></table> </div> </div><h3 id="scanning-in-cicd">Scanning in CI/CD </h3><p>Add Trivy to your pipeline so that no image with critical vulnerabilities reaches production:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="c"># Example GitHub Actions step</span><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">Run Trivy vulnerability scanner</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">aquasecurity/trivy-action@master</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">image-ref</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;myapp:${{ github.sha }}&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">format</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;table&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">exit-code</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">severity</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;CRITICAL,HIGH&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="scanning-iac-and-filesystems">Scanning IaC and filesystems </h3><p>Trivy goes beyond container images:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Scan Kubernetes manifests for misconfigurations</span> </span></span><span class="line"><span class="cl">trivy config ./k8s-manifests/ </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Scan a filesystem for secrets and vulnerabilities</span> </span></span><span class="line"><span class="cl">trivy fs --security-checks vuln,secret ./ </span></span></code></pre></td></tr></table> </div> </div><h2 id="runtime-security-with-falco">Runtime security with Falco </h2><p>While scanning catches vulnerabilities at build time, Falco monitors containers at runtime. It uses kernel-level instrumentation to detect suspicious behavior:</p> <ul> <li>Unexpected shell spawns inside containers.</li> <li>Processes reading sensitive files (<code>/etc/shadow</code>, <code>/etc/passwd</code>).</li> <li>Outbound network connections to unexpected destinations.</li> <li>Privilege escalation attempts.</li> </ul> <h3 id="example-falco-rules">Example Falco rules </h3><div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl">- <span class="nt">rule</span><span class="p">:</span><span class="w"> </span><span class="l">Terminal shell in container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">desc</span><span class="p">:</span><span class="w"> </span><span class="l">Detect a shell being spawned in a container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> spawned_process and container and </span></span></span><span class="line"><span class="cl"><span class="sd"> proc.name in (bash, sh, zsh, dash)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">output</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> Shell spawned in container </span></span></span><span class="line"><span class="cl"><span class="sd"> (user=%user.name container=%container.name </span></span></span><span class="line"><span class="cl"><span class="sd"> shell=%proc.name parent=%proc.pname)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">priority</span><span class="p">:</span><span class="w"> </span><span class="l">WARNING</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl">- <span class="nt">rule</span><span class="p">:</span><span class="w"> </span><span class="l">Read sensitive file in container</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">desc</span><span class="p">:</span><span class="w"> </span><span class="l">Detect reads of sensitive files</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">condition</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> open_read and container and </span></span></span><span class="line"><span class="cl"><span class="sd"> fd.name in (/etc/shadow, /etc/passwd)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">output</span><span class="p">:</span><span class="w"> </span><span class="p">&gt;</span><span class="sd"> </span></span></span><span class="line"><span class="cl"><span class="sd"> Sensitive file read in container </span></span></span><span class="line"><span class="cl"><span class="sd"> (user=%user.name file=%fd.name container=%container.name)</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">priority</span><span class="p">:</span><span class="w"> </span><span class="l">ERROR</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Deploy Falco as a DaemonSet in your Kubernetes cluster to get visibility into runtime behavior across all nodes.</p> <h2 id="kubernetes-security">Kubernetes security </h2><h3 id="pod-security-standards">Pod Security Standards </h3><p>Kubernetes Pod Security Standards define three levels of restriction:</p> <ul> <li><strong>Privileged</strong> &mdash; Unrestricted (for system-level workloads only).</li> <li><strong>Baseline</strong> &mdash; Prevents known privilege escalations.</li> <li><strong>Restricted</strong> &mdash; Heavily restricted, following security best practices.</li> </ul> <p>Apply them at the namespace level:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Namespace</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/enforce</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/audit</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pod-security.kubernetes.io/warn</span><span class="p">:</span><span class="w"> </span><span class="l">restricted</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><h3 id="networkpolicies">NetworkPolicies </h3><p>By default, all pods in Kubernetes can communicate with each other. NetworkPolicies let you restrict traffic:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">networking.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">NetworkPolicy</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">api-allow</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">spec</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">api</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">policyTypes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Ingress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">Egress</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ingress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">from</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">frontend</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">8080</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">egress</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">to</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">podSelector</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">matchLabels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">app</span><span class="p">:</span><span class="w"> </span><span class="l">database</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">ports</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">protocol</span><span class="p">:</span><span class="w"> </span><span class="l">TCP</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">port</span><span class="p">:</span><span class="w"> </span><span class="m">5432</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>This policy ensures the API pod only receives traffic from the frontend and only sends traffic to the database.</p> <h3 id="rbac">RBAC </h3><p>Follow the principle of least privilege. Avoid giving <code>cluster-admin</code> to service accounts. Create specific roles:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span><span class="lnt">9 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">apiVersion</span><span class="p">:</span><span class="w"> </span><span class="l">rbac.authorization.k8s.io/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">kind</span><span class="p">:</span><span class="w"> </span><span class="l">Role</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">metadata</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">namespace</span><span class="p">:</span><span class="w"> </span><span class="l">production</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">deployment-manager</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">rules</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">apiGroups</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;apps&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">resources</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;deployments&#34;</span><span class="p">]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">verbs</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&#34;get&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;list&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;watch&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;update&#34;</span><span class="p">,</span><span class="w"> </span><span class="s2">&#34;patch&#34;</span><span class="p">]</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p>Regularly audit RBAC bindings with tools like <code>kubectl-who-can</code> or <code>rbac-tool</code>.</p> <h2 id="secrets-management">Secrets management </h2><p>Never store secrets in container images, environment variables in plain Dockerfiles, or version control. Instead:</p> <ul> <li>Use <strong>Kubernetes Secrets</strong> (encrypted at rest with KMS).</li> <li>Use external secrets managers: <strong>HashiCorp Vault</strong>, <strong>AWS Secrets Manager</strong>, <strong>Azure Key Vault</strong>.</li> <li>Use the <strong>External Secrets Operator</strong> to sync secrets from external providers into Kubernetes.</li> <li>Rotate secrets regularly and audit access.</li> </ul> <h2 id="supply-chain-security">Supply chain security </h2><h3 id="signed-images">Signed images </h3><p>Sign your container images with <strong>cosign</strong> (part of the Sigstore project) and verify signatures before deployment:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Sign an image</span> </span></span><span class="line"><span class="cl">cosign sign --key cosign.key myregistry/myapp:v1.0 </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Verify a signature</span> </span></span><span class="line"><span class="cl">cosign verify --key cosign.pub myregistry/myapp:v1.0 </span></span></code></pre></td></tr></table> </div> </div><h3 id="sbom-software-bill-of-materials">SBOM (Software Bill of Materials) </h3><p>Generate an SBOM for every image so you can quickly check whether a newly disclosed CVE affects your running containers:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># Generate SBOM with Trivy</span> </span></span><span class="line"><span class="cl">trivy image --format spdx-json --output sbom.json myapp:latest </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># Or use syft</span> </span></span><span class="line"><span class="cl">syft myapp:latest -o spdx-json &gt; sbom.json </span></span></code></pre></td></tr></table> </div> </div><h2 id="container-security-checklist">Container security checklist </h2><p>Use this checklist to assess your container security posture:</p> <ul> <li><input disabled="" type="checkbox"> Base images are minimal (distroless or Alpine).</li> <li><input disabled="" type="checkbox"> Multi-stage builds are used to exclude build tools.</li> <li><input disabled="" type="checkbox"> Containers run as non-root users.</li> <li><input disabled="" type="checkbox"> Images are scanned for vulnerabilities in CI/CD.</li> <li><input disabled="" type="checkbox"> No secrets are stored in images or plain environment variables.</li> <li><input disabled="" type="checkbox"> Kubernetes Pod Security Standards are enforced.</li> <li><input disabled="" type="checkbox"> NetworkPolicies restrict pod-to-pod communication.</li> <li><input disabled="" type="checkbox"> RBAC follows least privilege.</li> <li><input disabled="" type="checkbox"> Runtime security monitoring is in place (Falco or equivalent).</li> <li><input disabled="" type="checkbox"> Images are signed and signatures are verified before deployment.</li> <li><input disabled="" type="checkbox"> SBOMs are generated and stored for all production images.</li> <li><input disabled="" type="checkbox"> Secrets are managed through an external secrets manager.</li> <li><input disabled="" type="checkbox"> Image pull policies are set to <code>Always</code> for mutable tags.</li> <li><input disabled="" type="checkbox"> Regular security audits and penetration tests are conducted.</li> </ul> <h2 id="conclusion">Conclusion </h2><p>Container security is an ongoing practice, not a one-time task. Start with basics: minimal images, non-root users, scanning. Then layer on runtime monitoring, network policies, supply chain verification, and automated enforcement. Each layer shrinks the blast radius and moves you closer to actual security.</p>