Container & Kubernetes Security

Containers expand the attack surface in ways traditional security tools don’t cover. A vulnerable base image means every pod running it is compromised. A misconfigured pod running as root can escape to the host. A missing network policy means any pod can talk to any other pod. Container security requires defense-in-depth across the build, deploy, and runtime phases.

Security Across the Container Lifecycle

BUILD                    DEPLOY                   RUNTIME
┌──────────────┐        ┌──────────────┐         ┌──────────────┐
│ Image scan   │───────▶│ Admission    │────────▶│ Runtime      │
│ SBOM creation│        │ controllers  │         │ monitoring   │
│ Base image   │        │ Pod security │         │ Network      │
│ hardening    │        │ standards    │         │ policies     │
│ Secret scan  │        │ Resource     │         │ Forensics    │
│              │        │ limits       │         │              │
└──────────────┘        └──────────────┘         └──────────────┘

Image Security

Minimal Base Images

Base Image	Size	CVE Surface	Use Case
`ubuntu:22.04`	77 MB	High (200+ packages)	Development only
`debian:slim`	80 MB	Medium	General purpose
`alpine`	5 MB	Low	Minimal workloads
`distroless`	2-20 MB	Minimal (no shell!)	Production recommended
`scratch`	0 MB	None	Static Go/Rust binaries

# Multi-stage build with distroless
FROM golang:1.22 AS builder
WORKDIR /app
COPY . .
RUN CGO_ENABLED=0 go build -o /server

FROM gcr.io/distroless/static:nonroot
COPY --from=builder /server /server
USER nonroot:nonroot
ENTRYPOINT ["/server"]

Image Scanning Pipeline

# CI/CD image scanning
image-security:
  steps:
    - name: Build image
      run: docker build -t app:${{ github.sha }} .
    
    - name: Scan for vulnerabilities
      run: |
        trivy image --severity HIGH,CRITICAL \
          --exit-code 1 \
          app:${{ github.sha }}
    
    - name: Generate SBOM
      run: |
        syft app:${{ github.sha }} -o spdx-json > sbom.json
    
    - name: Sign image
      run: |
        cosign sign --key cosign.key app:${{ github.sha }}

Pod Security Standards

# Restricted pod security (production)
apiVersion: v1
kind: Pod
metadata:
  name: secure-app
spec:
  securityContext:
    runAsNonRoot: true
    runAsUser: 65534
    fsGroup: 65534
    seccompProfile:
      type: RuntimeDefault
  containers:
    - name: app
      image: app:latest
      securityContext:
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        capabilities:
          drop: ["ALL"]
      resources:
        limits:
          cpu: "500m"
          memory: "256Mi"
        requests:
          cpu: "100m"
          memory: "128Mi"

Network Policies

# Default deny all ingress (apply per namespace)
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-ingress
  namespace: production
spec:
  podSelector: {}
  policyTypes:
    - Ingress

---
# Allow web → app traffic only
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-web-to-app
spec:
  podSelector:
    matchLabels:
      tier: app
  ingress:
    - from:
        - podSelector:
            matchLabels:
              tier: web
      ports:
        - port: 8080

Anti-Patterns

Anti-Pattern	Problem	Fix
Running as root	Container escape → host compromise	`runAsNonRoot: true`, use non-root user
No network policies	All pods can communicate freely	Default deny, explicit allow per service
Latest tag	No reproducibility, unknown vulnerabilities	Pin image digests, scan on every build
Secrets in env vars	Visible in pod spec, logs, crash dumps	Use K8s Secrets mounted as files, or external vault
No resource limits	Noisy neighbor or resource exhaustion DoS	Set CPU/memory limits on every container
Writable root filesystem	Attacker can modify binaries	`readOnlyRootFilesystem: true`

Checklist

:::note[Source] This guide is derived from operational intelligence at Garnet Grid Consulting. For container security consulting, visit garnetgrid.com. :::