container-security

# Container Security

## Overview

This skill covers security best practices for containerized applications, including Docker image hardening, Kubernetes security configurations, image vulnerability scanning, and runtime protection.

**Keywords:** container security, Docker, Kubernetes, image scanning, Dockerfile, pod security, network policies, RBAC, container runtime, Trivy, Falco, gVisor, seccomp, AppArmor, distroless, rootless containers

## When to Use This Skill

- Building secure Docker images
- Configuring Kubernetes pod security
- Setting up container vulnerability scanning
- Implementing Kubernetes RBAC
- Configuring network policies
- Managing secrets in Kubernetes
- Setting up runtime security monitoring

## Container Security Layers

| Layer | Controls | Tools |
| --- | --- | --- |
| **Image** | Minimal base, vulnerability scanning, signing | Trivy, Cosign, Grype |
| **Build** | Multi-stage builds, non-root, no secrets | Docker, Buildah, Kaniko |
| **Registry** | Scanning, signing verification, access control | Harbor, ECR, ACR |
| **Runtime** | Seccomp, AppArmor, read-only root | gVisor, Kata, Falco |
| **Orchestration** | Pod security, RBAC, network policies | Kubernetes, OPA/Gatekeeper |
| **Secrets** | Encrypted at rest, external providers | Vault, Sealed Secrets, ESO |

## Secure Dockerfile Patterns

### Minimal Secure Dockerfile

```dockerfile
# Use specific version, not :latest
FROM node:20.10-alpine3.19 AS builder

# Create non-root user early
RUN addgroup -g 1001 -S appgroup && \
    adduser -u 1001 -S appuser -G appgroup

WORKDIR /app

# Copy dependency files first (layer caching)
COPY package*.json ./

# Install dependencies with security flags
RUN npm ci --only=production --ignore-scripts && \
    npm cache clean --force

# Copy application code
COPY --chown=appuser:appgroup . .

# Build if needed
RUN npm run build

# --- Production Stage ---
FROM node:20.10-alpine3.19 AS production

# Security: Don't run as root
RUN addgroup -g 1001 -S appg