文档

Hardening Container Images

  • You are advised to create a non-root user in the base image, start the image and process as the non-root user, and grant only necessary capabilities to the user to prevent security risks such as container escape caused by high-privileged users.
  • Properly control the owners and permissions of files in the image to prevent security risks such as container escape caused by unnecessarily unauthorized access.
  • Fix vulnerabilities in the base image in a timely manner.
  • When distributing images, you are advised to enable the Content trust function of Docker.
  • Do not use the ADD instruction in the Dockerfile. If the ADD instruction is performed on files from unknown sources, security risks exist.
  • Do not store sensitive information in the Dockerfile.
  • Do not use the update command independently.
  • Add a health check mechanism for the container and check the validity of the scripts or commands specified by the health check mechanism to ensure that the scripts or commands do not cause service or system exceptions.
  • Do not add files and directories with SUID and SGID permissions to the container.
  • Set system resource quotas for the container to prevent the container from exhausting the resources. System resources include but are not limited to CPU and memory.