As more companies embrace the cloud-native DevOps journey, the role of Docker of Kubernetes is becoming central in securing containerized environments. Docker simplifies the containerization of apps by automating the process. It is an open standard that enables developers to build and run containers and to store and share container images. For container orchestration, Kubernetes is the most popular open standard. Kubernetes manages and orchestrates containerized workloads and services across cloud computing data centers by automating container deployment, network communication, and load-balancing across computing clusters. Widespread deployment of Docker and Kubernetes make them attractive targets for the bad actors. A successful compromise on these platforms provides inroads to the entire containerized environment. Mitigating these risks requires a new approach and best practices that are addressed in Docker and Kubernetes CIS benchmarks.
CIS Benchmarks for Docker and Kubernetes
Native security capabilities in Docker and Kubernetes are limited. Kubernetes native security is limited to role-based access control (RBAC) to restrict container access to server resources. Additional security controls and best practices must be integrated to secure the container environment. The Docker and Kubernetes benchmarks from the Center for Internet Security (CIS), a not-for-profit organization that publishes product-specific best practices, are particularly useful for container security.
Advancements in container architectures are dynamic, and there are always new releases in container standards and technologies. CIS releases new benchmarks for Docker and Kubernetes to capture changes in the new versions of those projects. This helps to keep things current and to expand for securing containerized environments.
Advancements in container architectures are dynamic, and there are always new releases in container standards and technologies.
CIS Docker Benchmark v1.3 best practices
The Docker CIS Benchmark version 1.3 provides detailed recommendations for securing the Docker environment in production. The recommendations focus on configuration best practices taking into account the new features in Docker 20.10. The main sections of the benchmarks are summarized here to give you a head start with Docker configuration and security best practices.
This section lists the recommendations for configuring the host on which the Docker engine runs. These recommendations specify protections for the native environment:
- Ensure the OS is hardened
- Ensure Docker version is up to date
- Create a separate partition for containers
- Grant access to Docker daemon to only trusted users
- Ensure auditing is configured on Docker files and directories
Docker Daemon Configuration
The CIS recommendations for Docker Daemon configuration secures the behavior of the Docker daemon and the background process that manages the containers on the Docker host.
A list of recommended settings are summarized:
- Restrict network traffic between containers on the default bridge
- Set Logging level at “info”
- “Allow” Docker permission to make changes to iptables to “allow”
- Do not use insecure registries
- Do not use Aufs storage driver
- Use and configure TLS authentication correctly
- Configure Default ulimit as appropriate
- Enable user namespace support
- Confirm default cgroup usage
- Enable Docker client command authorization
- Configure Centralized logging
- Configure Remote logging
- Enable Live restore
- Disable Userland Proxy
- Apply Custom seccomp profile if appropriate
- Do not use experimental features in production
- Set container ability to gain new privileges as restricted
Configuration Files for Docker Daemon
This section of the benchmark recommends files and directory settings in terms of permissions and ownership. The Docker Daemon configuration files are sensitive. Attackers can access and use them to control all containers on the host. Securing the files and directories containing sensitive parameters is important for the correct and secure functioning of the Docker daemon.
Container Images and Build File Configuration
Container base images and the build files used to create them determine what is inside a container and how it operates. The recommendations in this section ensure your base images and build files are safe and trusted.
- Create a user for the container
- Remove setuid and setgid permissions
- Container content
- Avoid unnecessary packages in the container
- Only install verified packages
- Define HEALTHCHECK instructions for the container
- Enable content trust for Docker
- Only use trusted base images
- Conduct security scans on images
- Build images including security patches
- Ensure update instructions are not used alone
- Use COPY instead of ADD
- Do not store secrets in Dockerfiles
Container Runtime Configuration
Startup configuration for containers can affect security. Certain runtime parameters can lead to compromise of the host and the containers running on it. CIS recommends runtime configuration elements such as Linux security options, container resource utilization, container root filesystem, etc., to secure containers in runtime.
Docker Security Operations
CIS recommends two best practices to securely operate Docker in production:
- Avoid image sprawl—It is recommended to not run too many container images on the same host and use only images which are tagged as secure with no vulnerabilities.
- Avoid container sprawl—Having more containers on the host than optimal can expose the Docker host to mishandling, misconfiguration, and fragmentation. The number of containers on the same host should be minimized.
Docker Swarm Configuration
Docker Swarm is Docker’s container orchestrator, which can manage clusters of containers and their lifecycle. The recommendations focus on swarm mode, swarm services, swarm services, etc.
CIS Benchmark best practices for Kubernetes
The Kubernetes CIS Benchmark provides detailed recommendations on how to secure Kubernetes deployments. Most of these recommendations are relevant to Kubernetes deployed directly by the organization, but not for managed Kubernetes services such as Amazon Elastic Kubernetes Service (AKS), Google Kubernetes Engine (GKE), or Openshift. This is because these services provide a managed control plane and may have different command-line tools compared to standard Kubernetes.
Control Plane Components
The CIS benchmark makes several recommendations with regard to the configuration of the Kubernetes control plane—including the API Server, etcd, and Container Network Interface (CNI).
When configuring the Kubernetes control plane, the Kubernetes CIS Benchmark recommends:
- Not using client certificate authentication for users—Kubernetes enables the use of client certificates for user authentication. CIS benchmark recommends not using these certificates as there is no way to revoke these certificates when a user leaves or loses the credentials.
- Minimal audit policy—Kubernetes can audit requests made to the API server. The audit-policy flag should be set to ensure there is at least a minimal audit trail.
- Audit policy coverage—Kuberenets Security audit logs must record access and modification of any key cluster resources.
Kubernetes worker nodes can be physical or virtual machines where containers execute within pods. The Kubernetes CIS benchmark makes several recommendations for securing configuration files and defining specific configuration settings for the primary node agent (Kubelet) on the worker nodes.
The Kubernetes CIS benchmark recommends specific policies for Kubernetes elements like RBAC, pods, and the container network interface (CNI) to improve security.
In addition to the recommendations above, the benchmark recommends:
- Creating administrative boundaries using namespaces and never using the default namespace
- Using the seccomp profile in docker/default pod definitions
- Using Security Context in Pods and Containers
Docker and Kubernetes platforms are the essential building blocks of cloud-native DevOps and IaaS. Securing these platforms are integral to container security. The CIS benchmarks for Docker and Kubernetes provide the configuration recommendations to secure these platforms and your cloud-native environment. It is, however, impractical to run these tools manually to check for compliance. It is recommended that you use tools that automate the process of compliance checks with CIS benchmarks.