Docker
Docker Security (official github)
Kubernetes
Creating a cluster with kubeadm
Extra
Security features from CIS 5.
- AppArmor
AppArmor (Application Armor) is a Linux Security Module (LSM). It protects the operating system by applying profiles to individual applications or containers. In contrast to managing capabilities with CAP_DROP and syscalls with seccomp, AppArmor allows for much finer-grained control. For example, AppArmor can restrict file operations on specified paths.
AppArmor security profiles for Docker
Protege contenedores con AppArmor
- SElinux
The Docker daemon relies on a OCI compliant runtime (invoked via the containerd daemon) as its interface to the Linux kernel namespaces, cgroups, and SELinux.
Secure your containers with SELinux
- Seccomp
Seccomp is a sandboxing facility in the Linux kernel that acts like a firewall for system calls (syscalls). It uses Berkeley Packet Filter (BPF) rules to filter syscalls and control how they are handled. These filters can significantly limit a containers access to the Docker Host's Linux kernel - especially for simple containers/applications.
The docker/no-chmod.json file is a profile with the chmod(), fchmod(), and chmodat() syscalls removed from its whitelist.