Docker and Kubernetes Security Best Practices
In this tutorial, you'll learn about Docker and Kubernetes Security Best Practices. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
What You'll Learn
Secure your container infrastructure — Docker image hardening, Kubernetes RBAC, network policies, Pod Security Standards, and Supply Chain Security.
Why It Matters
Container security is a shared responsibility. A single vulnerability can expose your entire cluster. These practices prevent the most common attacks.
Real-World Use
Blocking a compromised image from deploying, limiting which namespaces a developer can access, or preventing a container from running as root.
Docker Security
Image Scanning
# Scan images before deploying
docker scout quick my-app:latest
trivy image my-app:latest
grype my-app:latest
# Integrate into CI/CD — fail if critical CVEs found
trivy image --severity CRITICAL --exit-code 1 my-app:latest
Minimal Base Images
# ❌ Avoid: Full OS with unnecessary tools
FROM ubuntu:22.04 # ~250 packages
# ✅ Use: Distroless or slim
FROM gcr.io/distroless/nodejs20 # Only app + runtime deps
FROM alpine:3.19 # Minimal packages
FROM python:3.12-slim # Slim Debian variant
Drop Capabilities
# Run with minimal Linux capabilities
docker run -d \
--cap-drop=ALL \
--cap-add=NET_BIND_SERVICE \
--security-opt=no-new-privileges \
--read-only \
my-app
Kubernetes Security
RBAC (Role-Based Access Control)
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: development
name: developer-role
rules:
- apiGroups: [""]
resources: ["pods", "services"]
verbs: ["get", "list", "create", "update"]
- apiGroups: ["apps"]
resources: ["deployments"]
verbs: ["get", "list", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: development
name: dev-binding
subjects:
- kind: User
name: alice@company.com
roleRef:
kind: Role
name: developer-role
apiGroup: rbac.authorization.k8s.io/v1
Rule of Least Privilege: Grant only what's needed.
Pod Security Standards
# Enforce at namespace level
apiVersion: v1
kind: Namespace
metadata:
name: secure-app
labels:
pod-security.kubernetes.io/enforce: restricted
pod-security.kubernetes.io/audit: restricted
pod-security.Kubernetes.io/warn: baseline
Three levels:
| Level | What It Blocks |
|---|---|
| privileged | No restrictions (default) |
| baseline | Most common escalations (root, host networking) |
| restricted | All known escalations (strict) |
Network Policies
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-api-only
spec:
podSelector:
matchLabels:
app: database
ingress:
- from:
- podSelector:
matchLabels:
app: api
ports:
- port: 5432
Secrets in Transit and at Rest
# Enable KMS encryption for etcd
# In kube-apiserver config:
--encryption-provider-config=/etc/kubernetes/encryption-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- kms:
name: aws-kms
cachesize: 100
endpoint: unix:///var/run/kms-plugin/socket.sock
Supply Chain Security
# Verify image signatures (cosign)
cosign verify my-registry/my-app:latest \
--certificate-identity=ci@mycompany.com
# Sign images in CI
cosign sign --key cosign.key my-registry/my-app:latest
# Enforce signed images with OPA/Gatekeeper
Security Checklist
□ Use minimal base images
□ Scan for vulnerabilities in CI
□ Run as non-root user
□ Drop all capabilities, add only needed
□ Set resource limits
□ Use read-only root filesystem
□ Enable NetworkPolicies (default deny)
□ Implement RBAC with least privilege
□ Enforce Pod Security Standards
□ Encrypt secrets at rest
□ Use private image registry
□ Regular security audits
□ Enable audit logging
Common Attacks and Mitigations
| Attack | Mitigation |
|---|---|
| Container escape | Drop capabilities, seccomp, AppArmor |
| Privilege escalation | securityContext.allowPrivilegeEscalation: false |
| Cryptomining | Resource limits, admission control |
| Data exfiltration | Network policies |
| Supply chain attack | Image signing, scanning |
| RBAC abuse | Minimal permissions, audit |
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro