Top 10 Container Security Misconfigurations and How to Fix Them

by

Container technologies like Docker and Kubernetes have revolutionized application deployment but also introduced security misconfigurations. This guide covers the 10 most dangerous mistakes and their fixes.

Misconfiguration 1: Running Containers as Root

# Check which containers run as root:
docker ps -q | xargs -I{} docker inspect {} --format "{{.Id}} User:{{.Config.User}}"

# Fix in Dockerfile:
RUN groupadd -r appuser -g 1001 && useradd -r -u 1001 -g appuser appuser
USER appuser

# Fix at runtime:
docker run --user 1000:1000 myimage

Misconfiguration 2: No Resource Limits

# Without limits, one container can exhaust host resources
docker run --memory="512m" --cpus="0.5" myimage

# Kubernetes:
resources:
  limits:
    memory: "512Mi"
    cpu: "500m"

Misconfiguration 3: Sensitive Data in Environment Variables

# BAD: Password in environment variable
docker run -e DB_PASSWORD=MySecretPass myimage

# GOOD: Use Docker Secrets or Kubernetes Secrets
echo "MySecretPass" | docker secret create db_password -

# Kubernetes:
kubectl create secret generic db-secret --from-literal=password=MySecretPass

Misconfiguration 4: Using :latest Tags

# BAD: Unpredictable, breaks reproducibility
FROM python:latest

# GOOD: Pin to specific versions with SHA digest
FROM python:3.11.9-slim

# Scan for CVEs in base image:
trivy image python:3.11.9-slim

Misconfiguration 5: Exposed Docker Daemon

# Check if daemon is exposed on TCP without TLS:
netstat -tlnp | grep 2375  # DANGEROUS if found

# Fix: Use TLS mutual auth or SSH tunneling:
docker -H ssh://user@remote-host ps  # Safer approach

Misconfigurations 6-10: Quick Fixes

# 6: Privileged mode - never use --privileged
docker run --cap-drop ALL --cap-add NET_BIND_SERVICE myimage

# 7: Enable read-only filesystem
docker run --read-only --tmpfs /tmp myimage

# 8: Never mount host root
# BAD: docker run -v /:/host myimage

# 9: Network segmentation between containers
docker network create --opt com.docker.network.bridge.enable_icc=false my-net

# 10: Scan for CVEs in CI/CD with Trivy
trivy image --severity CRITICAL,HIGH myapp:latest

Automated Scanning with Docker Bench

docker run --rm --net host --pid host --userns host --cap-add audit_control -v /var/run/docker.sock:/var/run/docker.sock:ro docker/docker-bench-security

Wrap Up

Run Docker Bench Security on your environment today, fix FAILs, then integrate Trivy into your CI/CD pipeline. Container security is mostly about consistent configuration standards applied from day one.