Stratus Cyber | An ultimate guide to Docker and Kubernetes

As more companies embrace the cloud-native DevOps journey, the role of Docker of Kubernetes is becoming central in securing containerized environments. Docker simplifies the containerization of apps by automating the process. It is an open standard that enables developers to build and run containers and to store and share container images. For container orchestration, Kubernetes is the most popular open standard. Kubernetes manages and orchestrates containerized workloads and services across cloud computing data centers by automating container deployment, network communication, and load-balancing across computing clusters. Widespread deployment of Docker and Kubernetes make them attractive targets for the bad actors. A successful compromise on these platforms provides inroads to the entire containerized environment. Mitigating these risks requires a new approach and best practices that are addressed in Docker and Kubernetes CIS benchmarks.

CIS Benchmarks for Docker and Kubernetes

Native security capabilities in Docker and Kubernetes are limited. Kubernetes native security is limited to role-based access control (RBAC) to restrict container access to server resources. Additional security controls and best practices must be integrated to secure the container environment. The Docker and Kubernetes benchmarks from the Center for Internet Security (CIS), a not-for-profit organization that publishes product-specific best practices, are particularly useful for container security.

Advancements in container architectures are dynamic, and there are always new releases in container standards and technologies. CIS releases new benchmarks for Docker and Kubernetes to capture changes in the new versions of those projects. This helps to keep things current and to expand for securing containerized environments.

Advancements in container architectures are dynamic, and there are always new releases in container standards and technologies.

CIS Docker Benchmark v1.3 best practices

The Docker CIS Benchmark version 1.3 provides detailed recommendations for securing the Docker environment in production. The recommendations focus on configuration best practices taking into account the new features in Docker 20.10. The main sections of the benchmarks are summarized here to give you a head start with Docker configuration and security best practices.

Host configuration

This section lists the recommendations for configuring the host on which the Docker engine runs. These recommendations specify protections for the native environment:

Ensure the OS is hardened
Ensure Docker version is up to date
Create a separate partition for containers
Grant access to Docker daemon to only trusted users
Ensure auditing is configured on Docker files and directories

Docker Daemon Configuration

The CIS recommendations for Docker Daemon configuration secures the behavior of the Docker daemon and the background process that manages the containers on the Docker host.

A list of recommended settings are summarized:

Restrict network traffic between containers on the default bridge

Set Logging level at “info”
“Allow” Docker permission to make changes to iptables to “allow”
Do not use insecure registries
Do not use Aufs storage driver
Use and configure TLS authentication correctly
Configure Default ulimit as appropriate
Enable user namespace support
Confirm default cgroup usage
Enable Docker client command authorization
Configure Centralized logging
Configure Remote logging
Enable Live restore
Disable Userland Proxy
Apply Custom seccomp profile if appropriate
Do not use experimental features in production
Set container ability to gain new privileges as restricted

Configuration Files for Docker Daemon

This section of the benchmark recommends files and directory settings in terms of permissions and ownership. The Docker Daemon configuration files are sensitive. Attackers can access and use them to control all containers on the host. Securing the files and directories containing sensitive parameters is important for the correct and secure functioning of the Docker daemon.

Container Images and Build File Configuration

Container base images and the build files used to create them determine what is inside a container and how it operates. The recommendations in this section ensure your base images and build files are safe and trusted.

Permissions

Create a user for the container
Remove setuid and setgid permissions

Container content

Avoid unnecessary packages in the container
Only install verified packages
Define HEALTHCHECK instructions for the container
Enable content trust for Docker

Images

Only use trusted base images
Conduct security scans on images
Build images including security patches

Dockerfiles

Ensure update instructions are not used alone
Use COPY instead of ADD
Do not store secrets in Dockerfiles

Container Runtime Configuration

Startup configuration for containers can affect security. Certain runtime parameters can lead to compromise of the host and the containers running on it. CIS recommends runtime configuration elements such as Linux security options, container resource utilization, container root filesystem, etc., to secure containers in runtime.

Docker Security Operations

CIS recommends two best practices to securely operate Docker in production:

Avoid image sprawl—It is recommended to not run too many container images on the same host and use only images which are tagged as secure with no vulnerabilities.

Avoid container sprawl—Having more containers on the host than optimal can expose the Docker host to mishandling, misconfiguration, and fragmentation. The number of containers on the same host should be minimized.

Docker Swarm Configuration

Docker Swarm is Docker’s container orchestrator, which can manage clusters of containers and their lifecycle. The recommendations focus on swarm mode, swarm services, swarm services, etc.

CIS Benchmark best practices for Kubernetes

The Kubernetes CIS Benchmark provides detailed recommendations on how to secure Kubernetes deployments. Most of these recommendations are relevant to Kubernetes deployed directly by the organization, but not for managed Kubernetes services such as Amazon Elastic Kubernetes Service (AKS), Google Kubernetes Engine (GKE), or Openshift. This is because these services provide a managed control plane and may have different command-line tools compared to standard Kubernetes.

Control Plane Components

The CIS benchmark makes several recommendations with regard to the configuration of the Kubernetes control plane—including the API Server, etcd, and Container Network Interface (CNI).

When configuring the Kubernetes control plane, the Kubernetes CIS Benchmark recommends:

Not using client certificate authentication for users—Kubernetes enables the use of client certificates for user authentication. CIS benchmark recommends not using these certificates as there is no way to revoke these certificates when a user leaves or loses the credentials.
Minimal audit policy—Kubernetes can audit requests made to the API server. The audit-policy flag should be set to ensure there is at least a minimal audit trail.
Audit policy coverage—Kuberenets Security audit logs must record access and modification of any key cluster resources.

Worker Nodes

Kubernetes worker nodes can be physical or virtual machines where containers execute within pods. The Kubernetes CIS benchmark makes several recommendations for securing configuration files and defining specific configuration settings for the primary node agent (Kubelet) on the worker nodes.

Policies

The Kubernetes CIS benchmark recommends specific policies for Kubernetes elements like RBAC, pods, and the container network interface (CNI) to improve security.

In addition to the recommendations above, the benchmark recommends:

Creating administrative boundaries using namespaces and never using the default namespace
Using the seccomp profile in docker/default pod definitions
Using Security Context in Pods and Containers

Conclusion

Docker and Kubernetes platforms are the essential building blocks of cloud-native DevOps and IaaS. Securing these platforms are integral to container security. The CIS benchmarks for Docker and Kubernetes provide the configuration recommendations to secure these platforms and your cloud-native environment. It is, however, impractical to run these tools manually to check for compliance. It is recommended that you use tools that automate the process of compliance checks with CIS benchmarks.