As seen in the previous chapter, Docker containers are secure by default, but this is because they run inside namespaces and cgroups isolation. Images are different objects and their security is related to their content. With this idea, it is easy to understand that having less content will be more secure. So, the main rules for securing images are as follows:
- Images should only contain mandatory binaries, libraries, and configurations to run our containerized process. Don't add any non-required applications or debug tools to production images. Less attack surface is better, and having many binaries increases this surface.
- Always declare resources on your images. In this case, we use the term resources to describe users, exposed ports, and volumes. Always describe what is needed to run your image and avoid root usage inside a container.
- Update image content packages if there is some security bug fix, rebuild all derived images, and redeploy the containers. In fact...