Container Hardening

Secure container images and runtime configurations.

When to Use This Skill

Use this skill when:

Building secure container images
Hardening container deployments
Meeting container security requirements
Implementing defense in depth

Dockerfile Security

# Use minimal base image
FROM alpine:3.18

# Don't run as root
RUN addgroup -g 1001 -S appgroup && \
    adduser -u 1001 -S appuser -G appgroup

# Copy with specific ownership
COPY --chown=appuser:appgroup . /app

# Remove unnecessary packages
RUN apk del --purge build-dependencies && \
    rm -rf /var/cache/apk/*

# Use non-root user
USER appuser

# Read-only filesystem support
WORKDIR /app

Runtime Security

# Run with security options
docker run -d \
  --read-only \
  --tmpfs /tmp \
  --security-opt=no-new-privileges:true \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --user 1001:1001 \
  myapp:latest

Kubernetes Security Context

apiVersion: v1
kind: Pod
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 1001
    fsGroup: 1001
  containers:
  - name: app
    securityContext:
      allowPrivilegeEscalation: false
      readOnlyRootFilesystem: true
      capabilities:
        drop: ["ALL"]

Image Scanning

# Scan with Trivy
trivy image --severity HIGH,CRITICAL myapp:latest

# Use distroless images
FROM gcr.io/distroless/static-debian11

Best Practices

Use minimal base images
Run as non-root user
Enable read-only filesystem
Drop all capabilities
Scan images regularly
Sign and verify images
Use secrets management

Related Skills

container-scanning - Vulnerability scanning
kubernetes-hardening - K8s security

container-hardening

Container Hardening

When to Use This Skill

Dockerfile Security

Runtime Security

Kubernetes Security Context

Image Scanning

Best Practices

Related Skills