Documentation

Hardening Container Security

You are advised to perform the following operations in the production environment to harden the image.

  • Create a non-root user in the base image, start the image and process as the non-root user, and grant only necessary capabilities to the user to prevent security risks such as container escape caused by high-privileged users.
  • Properly control the owners and permissions of files in the image to prevent security risks such as container escape caused by unnecessarily unauthorized access.
  • Fix vulnerabilities in the base image in a timely manner.
  • When distributing images, you are advised to enable the Content Trust function of Docker.

Seccomp Configuration

The seccomp configuration restricts the system call of a container and reduces the impact of the container on the system. For details, see seccomp.md.

In versions earlier than Kubernetes 1.19, seccomp uses the annotations[seccomp.security.alpha.kubernetes.io/pod] annotation. In 1.19 and later versions, the seccomp feature is in the"GA" stage. In 1.19 and later versions, securityContext.seccompProfile is recommended. In 1.27 and later versions, the annotation does not take effect. For details, see Kubernetes Removals and Major Changes In v1.27. Therefore, you need to modify the seccomp configuration based on the Kubernetes version and container security requirements.

Two methods are provided for MindCluster components whose startup configuration files need to be modified. The following is the seccomp configuration of Resilience Controller. Related configurations are reserved for other components.

  • Except Elastic Agent and TaskD, the startup configuration files of other MindCluster components need to be modified.
  • For details about the configuration file of each component, see Table 1.
    metadata:
      labels:
        app: resilience-controller
      ##### For Kubernetes versions lower than 1.19, seccomp is used with annotations.
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: runtime/default
    spec:
      ##### For Kubernetes versions 1.19 and above, seccomp is used with securityContext.
#      securityContext:
#        seccompProfile:
#          type: RuntimeDefault
...
Parent topic: Security Hardening
This site uses cookies to improve your browsing experience. By continuing to browse this site, you agree to our use of cookies.View Details