DevOps Intermediate
Docker Security Best Practices¶
DockerSecurityContainerizationDevSecOps 5 min read
Zabezpečení Docker kontejnerů. Image scanning, rootless containers, read-only filesystem a runtime security.
Image Security¶
- Používejte minimální base image (Alpine, Distroless)
- Pinujte verze:
node:20.11.1-alpine3.19(ne:latest) - Skenujte image:
trivy image myapp:latest - Multi-stage builds — žádné build tools v produkci
- Podepište image: Cosign / Notary
Rootless Containers¶
# Dockerfile
FROM node:20-alpine
# Vytvořte non-root user
RUN addgroup -g 1001 -S app && adduser -S app -u 1001 -G app
WORKDIR /app
COPY --chown=app:app . .
# Přepněte na non-root
USER app
EXPOSE 3000
CMD ["node", "server.js"]
# Kubernetes
securityContext:
runAsNonRoot: true
runAsUser: 1001
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: [ALL]
Runtime Security¶
- Read-only filesystem:
readOnlyRootFilesystem: true - Drop capabilities:
capabilities: { drop: [ALL] } - Seccomp profiles: omezení syscallů
- AppArmor/SELinux: mandatory access control
- Resource limits: vždy nastavte CPU a memory limity
Summary¶
Docker security je vrstevnatá obrana: minimální image, non-root user, read-only filesystem a runtime omezení. Skenujte v CI, enforceujte v K8s.
Need Help with Implementation?¶
Our team has experience designing and implementing modern architectures. We’re happy to help.