Container Technology Wiki
Docker Containers
- Docker 101
- Basic Docker Operations
- Docker Administration
- Docker Security Resources
- Docker OS Interaction
- Docker With Other Tools
- Docker API
- Docker Compose
Kubernetes Guide
- Kubernetes 101
-
Kubernetes Architecture
- Kubernetes Ecosystem
- Kubernetes Nodes
- Kubernetes Pods
- Kubernetes Controllers and Control Plane
- Kubernetes DaemonSets
- Container Runtime Interface
- Working with Containers in Kubernetes
- Working with Images in Kubernetes
- Workloads in Kubernetes
- Kubernetes Services
- Kubernetes Jobs
- Kubernetes and Microservices
- Kubernetes Operators
- Kubernetes Persistent Volumes
- Kubernetes Advantages and Use Cases
-
Kubernetes Operations
- Installing Kubernetes
- Kubernetes Configuration
- Kubernetes Monitoring
- Kubernetes Debugging and Troubleshooting
- Kubernetes Load Balancing
- Kubernetes Security
- Kubernetes Networking
- Kubernetes Storage Management
- Kubernetes in Production
- Working with Kubernetes Ingress
- Kubernetes Security Best Practices
- Managing Kubernetes with Kops and Kubeadm
- Kubernetes Secrets
- Kubernetes Autoscaling
- Kubernetes ConfigMap
- Kubernetes Namespace
- Kubernetes Authentication
- Kubernetes Vault
- CIS Kubernetes Benchmark
- Kubernetes Cluster
- Kubernetes as a Service
- Managed Kubernetes
- Kubernetes Distributions
- Enterprise Kubernetes
Container Basics
- Container Architecture
- Advantages of Containers
- Container Challenges
- Containers and IT Infrastructure
- Enterprise DevOps
- eBPF
- eBPF Linux
Containers Ops
- Container Security Management
- Container Deployment
- Container Monitoring
- Container Automation
- Container Multitenancy
- Container Backup and Disaster Recovery
- Prometheus Monitoring
Container Security
- Container Security Best Practices
- Containers for DevSecOps
- Container Vulnerabilities and Threats
- Container Vulnerability Scanning
- Container Secrets Management
- Container Access Control
- Container Audits and Compliance
- Application Whitelisting
- Zero Trust Networks
- Network Segmentation for Containers
- Container Isolation
- Open Source Security Tools for Containers
- Open Source Vulnerability Scanner
- Open Source Security Tools
- Container Security Tools
Cloud Native Computing Foundation
- AWS EC2 Security
- Cloud-Native Applications
- Cloud-Native Architecture
- Cloud Native AWS
- Cloud Native Development
- Cloud Native Infrastructure
- Cloud Native Security
- Envoy Proxy
- Harbor Kubernetes
- Open Policy Agent
- Oracle Cloud Security
- SaaS Cloud Security
- Security Issues in Cloud Computing
- SPIFFE
- VMware Tanzu
Serverless Computing
- Serverless Architecture
- AWS Lambda
- Azure Functions
- Google Cloud Functions
- Serverless Security
- On-Premises Serverless Platforms
- Function as a Service - FaaS
- Knative
- Serverless vs Containers
Container Platforms
- Containers and Cloud Computing
- Container Operating Systems
- Red Hat Openshift
- Pivotal Container Service
- Multi-Cloud Strategy
- Kubernetes vs Cloud Foundry
- CWPP
Other Container Engines
Kubernetes Alternatives
Container Community and Events
- Container Technology Wiki
- Docker Containers
- Docker Security Resources
- Isolating Docker Containers
Isolating Docker Containers
Docker container technology increases the default security by creating isolation layers between applications and between the application and host and reducing the host surface area which protects both the host and the co-located containers by restricting access to the host.
Below we have compiled publicly available sources from around the world that present views on Isolating Docker Containers.
The Container Security book by Liz Rice
Fundamental Technology Concepts that Protect Containerized Applications
Perspectives on Isolating Docker Containers
Docker Security Features: User Namespace
The purpose of User Namespace is similar to other types of Linux namespaces - isolation. It isolates user and group ID number spaces, so that a process’s user and group ID can be different inside and outside of a user namespace.
Hardening Docker Hosts with User Namespaces
With some unchallenging configuration changes, it’s possible to segregate your host’s root user from the root user inside your containers with a not-so-new feature called User Namespaces. This feature has been around since Docker 1.10, which was released sometime around February 2016.
https://www.linux.com/blog/learn/2017/8/hardening-docker-hosts-user-namespaces
Making Containers More Isolated
unit42.paloaltonetworks.com
Vendor Information
Isolate Containers with a User Namespace
docs.docker.com
Further Reading
- Docker Repository Security and Certificates — Docker runs via a non-networked Unix socket and TLS must be enabled in order to have the Docker client and the daemon communicate securely over HTTPS. This page gathers resources about how to ensure the traffic between the Docker registry and the Docker daemon is encrypted and a properly authenticated using certificate-based client-server authentication.
- Docker Trusted Image Registry — Docker Trusted Registry (DTR) is the enterprise-grade image storage solution from Docker. It is installed behind a firewall so that Docker images can be securely stored and managed. This page gathers resources about the benefits of Docker trusted registry and how to work with it.
- Docker AppArmor Security Profiles — AppArmor (Application Armor) is a Linux security module that protects an operating system and its applications from security threats. To use it, a system administrator associates an AppArmor security profile with each program. Docker expects to find an AppArmor policy loaded and enforced. This page gathers resources about Docker AppArmor security profiles and how to use them to enhance container security.
- Isolating Docker Containers — Docker container technology increases the default security by creating isolation layers between applications and between the application and host and reducing the host surface area which protects both the host and the co-located containers by restricting access to the host.
- Docker CIS Benchmark — The Center for Internet Security (CIS) Docker Benchmark is a reference document that can be used by system administrators, security and audit professionals and other IT roles to establish a secure configuration baseline for Docker containers. This page gather resources about CIS Docker benchmark and how to implement it.
Get updates on container technology
