Container Security Best

Practices [Cheat Sheet]

As you delve deeper into the realm of
container security, it becomes evident that
basic practices, while essential, may not
suffice in the face of advanced threats.

This cheat sheet will explore advanced
techniques to fortify your container security
strategy and provide a robust defense
against sophisticated attacks.

Advanced practices for container security

1 Maintaining short-lived secrets

Secrets such as API keys, tokens, and credentials are a potential goldmine for attackers.

To reduce the risk of exposure, it's vital to rotate these secrets frequently. 

For example, consider a cloud-based application that uses API keys for various services.

If these keys are compromised, an attacker could gain unauthorized access. By rotating them
every 30 to 90 days, you limit the window of opportunity for an attacker to do so. 

Automated systems for secret rotation, like the open-source tool Vault by HashiCorp, can
ensure that even if a secret is compromised, it won't be valid for long. For instance, the following
code will rotate secrets every 30 days:

# Example of using Vault for secret rotation

import hvac

client = hvac.Client()

client.write('secret/my_app', api_key='1234567890')

# Rotate secret every 30 days

client.renew('secret/my_app', increment=2592000)

For more details, refer to the Vault documentation.

© Wiz Inc. All Rights Reserved. 1

CloudSec Academy Best Practices

2 Secure service-to-service communication

In a containerized environment , containers often need to communicate with each other,

making the security of such inter-container communication crucial. This is particularly


true in a microservices architecture where multiple containers are constantly interacting.

A service mesh, such as the open-source tools Istio and Consul, can be employed to

control the traffic between containers and prevent unauthorized access. These offer


a specialized infrastructure layer designed to ensure safe, fast , and reliable


communication between services. They are particularly useful in complex, large-scale

microservices architectures.

One of the critical features of a service mesh is mutual TLS (mTLS), which provides secure

communication between services. mTLS makes sure that traffic is both encrypted and

originates from a trusted source, thereby guaranteeing the integrity and confidentiality


of your data.

Consider the following diagram to understand the network flow with a service mesh:

Figure 1: Istio security architecture (Source: Istio docs)

By leveraging service meshes and mTLS, you can significantly enhance the security


of service-to-service communication in your containerized applications.

3 Runtime security monitoring

Pre-runtime security measures like image scanning are essential but can't catch threats

that emerge during runtime. For example, a container might be compromised during

runtime through a zero-day exploit. By implementing runtime security monitoring with

eBPF-based tools like Tetragon, you can detect and prevent potential dangers, such as

container breakouts or kernel exploits, in real time.

© Wiz Inc. All Rights Reserved. 2

CloudSec Academy Best Practices

Tetragon is a powerful open-source tool for observing security measures and enforcing
them during runtime. It provides a wide range of use cases, including process lifecycle
monitoring, file access monitoring, network observability, and Linux process

credentials monitoring.

To illustrate how to use Tetragon for runtime security monitoring, let’s use the example
below. We'll be examining a kprobe that's attached to the fd_install kernel function. 

This particular kernel function, fd_install, is invoked whenever a file descriptor is

added to a process's file descriptor table, a scenario that's commonly seen in system

calls such as open or openat:

apiVersion: cilium.io/v1alpha1

kind: TracingPolicy

metadata:

name: "fd-install"

spec:

kprobes:

- call: "fd_install"

syscall: false

args:

- index: 0

type: "int"

- index: 1

type: "file"

selectors:

- matchArgs:

- index: 1

operator: "Equal"

values:

- "/etc/passwd"

Please note that this is a simplified example, and Tetragon offers much more advanced
features and capabilities.

© Wiz Inc. All Rights Reserved. 3

CloudSec Academy Best Practices

The diagram above provides a visual representation of how Tetragon uses eBPF to monitor
different aspects of system and network activity, providing real-time security observability
and enforcement. For more detailed examples, API references, and diagrams, please refer
to the Tetragon documentation.

4 Container intrusion detection

Intrusion detection systems (IDS) monitor your containers for signs of any malicious
activity. For example, an IDS might detect an unusual spike in network traffic,

indicating a potential breach. Using Tetragon, you can define tracing policies to

detect intrusion attempts. 

The following code illustrates a tracing policy that monitors TCP connection attempts.
When a TCP connection attempt is detected, it outputs a formatted message with details
about the source, destination, user, process, and container:

apiVersion: tetragon.io/v1

kind: TracingPolicy

metadata:

name: network-observability

spec: 

network: 

tcpConnect: 

output: 

format: "TCP connection attempt from %source.ip% to %destination.ip%

(user=%user.name% process=%proc.cmdline% container=%container.id%)"

For more details, refer to the Tetragon documentation.

© Wiz Inc. All Rights Reserved. 4

CloudSec Academy Best Practices

5 Zero trust architectures for containers

The "zero trust" principle dictates that no entity, internal or external, should be trusted by
default. For example, even an internal service request should be thoroughly verified before
access is granted. Implementing a zero-trust architecture in your container environment
with open-source tools like OPA (Open Policy Agent) ensures that every request is verified,
reducing the risk of breaches:

# Example of using OPA for zero trust architecture

package kubernetes.admission

deny[msg] {

input.request.kind.kind == "Pod"

image := input.request.object.spec.containers[_].image

not startswith(image, "wiz.io/")

msg := sprintf("image '%v' comes from untrusted registry", [image])

For more details, refer to the OPA documentation.

6 Implementing automated security policies

Manual security practices are prone to human error and can't keep pace with containers’
dynamic nature. For example, a developer might accidentally expose a sensitive port due
to a configuration error. Automated security policies, implemented with open-source tools
like Open Policy Agent (OPA), can enforce security measures consistently and efficiently
across your entire container environment, preventing such errors:

# Example of using OPA for automated security policies

package kubernetes.admission

deny[msg] {

input.request.kind.kind == "Pod"

port := input.request.object.spec.containers[_].ports[_].hostPort

port > 0

msg := sprintf("hostPort '%d' is not allowed", [port])

© Wiz Inc. All Rights Reserved. 5

CloudSec Academy Best Practices

For more details, refer to the OPA documentation.

7 Admission Controllers
An admission controller is a crucial component of advanced container security. It enforces
or blocks misconfigurations or bad behaviors before they reach the Kubernetes backend.
For example, it can prevent the deployment of containers that run as root, thereby
preventing potential security risks. Kubernetes provides a built-in admission controller that
can be configured to meet your security needs:

# Example of using Kubernetes Admission Controller

apiVersion: admissionregistration.k8s.io/v1

kind: ValidatingWebhookConfiguration

webhooks:

- name: "deny-root-user.example.com"

rules:

- apiGroups: [""]

apiVersions: ["v1"]

operations: ["CREATE"]

resources: ["pods"]

scope: "Namespaced"

clientConfig:

service:

namespace: "default"

name: "deny-root-user"

admissionReviewVersions: ["v1", "v1beta1"]

For more details, refer to the Kubernetes Admission Controller documentation.

8 Image Signing
Image signing, via open-source tools like Cosign or Notary, allows for the digital signing of
container images. For instance, an image might have been compromised and contain
malicious code. Ensuring that only approved and verified images can be deployed adds an
extra layer of security to your container environment.

© Wiz Inc. All Rights Reserved. 6

CloudSec Academy Best Practices

# Example of using Cosign for image signing

cosign sign -key cosign.key gcr.io/example/myimage

For more details, refer to the Cosign documentation.

Per advanced best practices, the leading open-source tools can be listed as follows:

Practice Open-source tools

Short-lived secrets HashiCorp Vault, Kubernetes Secrets

Secure service-to-service communication Istio, Calico

Runtime security monitoring Tetragon, Falco

Container intrusion detection Tetragon, Falco, Wazuh

Zero trust architectures for containers Spiffe, Spire

Automated security policies Open Policy Agent, Kyverno

Admission controllers Kubernetes Dynamic Admission Controllers

Image signing Cosign, Notary

By implementing these advanced practices, you can elevate your container security
approach and guarantee robust protection for your applications, no matter the threat. 

In the following section, we’ll discuss container security practices based on

different environments.

© Wiz Inc. All Rights Reserved. 7

CloudSec Academy Best Practices

Container security practices based on environment

Securing your container environment requires a nuanced approach that takes into account
the specific characteristics of your deployment environment. Whether you're using
Kubernetes, Docker, or another platform, there are particular practices you can follow to
enhance your security posture, as shown in the table below:

Platform Best practices

Kubernetes Implement role-based access control (RBAC) to limit


access to the Kubernetes API
Segregate your cluster into different namespaces to isolate
applications from each other
Regularly update and patch your Kubernetes version to
secure your environment against known vulnerabilities
Implement network policies to restrict traffic between pods
Enable audit logging to keep track of actions taken in

your cluster
Implement resource quotas to prevent overconsumption

of resources in a namespace
Leverage admission controllers to enforce specific behaviors
in your cluster.

Docker Use Docker Bench for Security to check Docker

configurations against best practices
Avoid running containers as root to limit potential privileges
an attacker could exploit
Regularly update and patch Docker software for proper
defense against known vulnerabilities
Use Docker's built-in security features like seccomp profiles,
AppArmor, and SELinux.
Limit the use of Docker images to trusted sources
Use Docker Content Trust (DCT) to guarantee the validity

and origin of all data obtained from a Docker registry
Implement resource limits to prevent a single container

from consuming all the host resources
Use Docker's logging features to monitor the activity

of your containers.

© Wiz Inc. All Rights Reserved. 8

CloudSec Academy Best Practices

Platform Best practices

OpenShift Use OpenShift's built-in OAuth server for authentication to
limit access to the OpenShift API
Implement role-based access control (RBAC) to manage

who can perform what actions
Regularly update and patch your OpenShift environment

to secure it against known vulnerabilities
Implement network policies to restrict traffic between pods
Enable audit logging to keep track of actions taken in

your cluster
Use OpenShift Secrets to manage sensitive information
Implement resource quotas to prevent overconsumption

of resources in a project
Leverage OpenShift's built-in security context constraints
(SCCs) to control permissions for pods
Limit the use of images to trusted sources via image streams
Use OpenShift's built-in health checks to monitor the state

of your applications.

Cloud provider container Ensure that images are sourced from trusted repositories.
services (EKS, ECS, Fargate, Use best practices for container construction: Minimize the
etc.) number of layers and avoid including unnecessary
components, which can introduce vulnerabilities
Regularly update the containers to ensure they have the
latest security patches and updates
Restrict container IAM privileges and implement the principle
of least privilege for container workloads
Restrict network access and use network policies to control
permissions for inter-container communication.

By tailoring your security practices to your specific environment, you will build a robust
defense capable of protecting your applications against new and emerging threats
organizations continuously face today. 

The most effective security strategy is one where an organization takes proactive steps

to ensure security—not react to security incidents after the fact. By implementing these
practices, you can stay one step ahead and ensure your container environment

remains secure.

See Wiz in Action Watch Now

Get instant access to a demo of Wiz’s cloud security platform

© Wiz Inc. All Rights Reserved. 9