Skip to content

Docker and Kubernetes Security Best Practices

DodaTech 3 min read

In this tutorial, you'll learn about Docker and Kubernetes Security Best Practices. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

What You'll Learn

Secure your container infrastructure — Docker image hardening, Kubernetes RBAC, network policies, Pod Security Standards, and Supply Chain Security.

Why It Matters

Container security is a shared responsibility. A single vulnerability can expose your entire cluster. These practices prevent the most common attacks.

Real-World Use

Blocking a compromised image from deploying, limiting which namespaces a developer can access, or preventing a container from running as root.

Docker Security

Image Scanning

# Scan images before deploying
docker scout quick my-app:latest
trivy image my-app:latest
grype my-app:latest

# Integrate into CI/CD — fail if critical CVEs found
trivy image --severity CRITICAL --exit-code 1 my-app:latest

Minimal Base Images

# ❌ Avoid: Full OS with unnecessary tools
FROM ubuntu:22.04  # ~250 packages

# ✅ Use: Distroless or slim
FROM gcr.io/distroless/nodejs20  # Only app + runtime deps
FROM alpine:3.19                 # Minimal packages
FROM python:3.12-slim            # Slim Debian variant

Drop Capabilities

# Run with minimal Linux capabilities
docker run -d \
  --cap-drop=ALL \
  --cap-add=NET_BIND_SERVICE \
  --security-opt=no-new-privileges \
  --read-only \
  my-app

Kubernetes Security

RBAC (Role-Based Access Control)

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: development
  name: developer-role
rules:
  - apiGroups: [""]
    resources: ["pods", "services"]
    verbs: ["get", "list", "create", "update"]

  - apiGroups: ["apps"]
    resources: ["deployments"]
    verbs: ["get", "list", "update"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: development
  name: dev-binding
subjects:
  - kind: User
    name: alice@company.com
roleRef:
  kind: Role
  name: developer-role
  apiGroup: rbac.authorization.k8s.io/v1

Rule of Least Privilege: Grant only what's needed.

Pod Security Standards

# Enforce at namespace level
apiVersion: v1
kind: Namespace
metadata:
  name: secure-app
  labels:
    pod-security.kubernetes.io/enforce: restricted
    pod-security.kubernetes.io/audit: restricted
    pod-security.Kubernetes.io/warn: baseline

Three levels:

Level What It Blocks
privileged No restrictions (default)
baseline Most common escalations (root, host networking)
restricted All known escalations (strict)

Network Policies

apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-api-only
spec:
  podSelector:
    matchLabels:
      app: database
  ingress:
    - from:
        - podSelector:
            matchLabels:
              app: api
      ports:
        - port: 5432

Secrets in Transit and at Rest

# Enable KMS encryption for etcd
# In kube-apiserver config:
--encryption-provider-config=/etc/kubernetes/encryption-config.yaml
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
  - resources:
      - secrets
    providers:
      - kms:
          name: aws-kms
          cachesize: 100
          endpoint: unix:///var/run/kms-plugin/socket.sock

Supply Chain Security

# Verify image signatures (cosign)
cosign verify my-registry/my-app:latest \
  --certificate-identity=ci@mycompany.com

# Sign images in CI
cosign sign --key cosign.key my-registry/my-app:latest

# Enforce signed images with OPA/Gatekeeper

Security Checklist

□ Use minimal base images
□ Scan for vulnerabilities in CI
□ Run as non-root user
□ Drop all capabilities, add only needed
□ Set resource limits
□ Use read-only root filesystem
□ Enable NetworkPolicies (default deny)
□ Implement RBAC with least privilege
□ Enforce Pod Security Standards
□ Encrypt secrets at rest
□ Use private image registry
□ Regular security audits
□ Enable audit logging

Common Attacks and Mitigations

Attack Mitigation
Container escape Drop capabilities, seccomp, AppArmor
Privilege escalation securityContext.allowPrivilegeEscalation: false
Cryptomining Resource limits, admission control
Data exfiltration Network policies
Supply chain attack Image signing, scanning
RBAC abuse Minimal permissions, audit

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro