关注微信公众号
第一手干货与资讯
加入官方微信群
获取免费技术支持
Container security was initially a big obstacle to many organizations in adopting Docker. However, that has changed over the past year, as many open source projects, startups, cloud vendors, and even Docker itself have stepped up to the challenge by creating new solutions for hardening Docker environments. Today, there is a wide range of security tools that cater to every aspect of the container lifecycle. Docker security tools fall into these categories:
Here’s a cheatsheet of Docker security tools available as of mid-2017. It’s organized according to which part of the Docker stack the tool secures.
Namespaces
Isolates neighboring processes from each other. It limits what a container can see, and thus prevents attacks from spreading.
cgroups
Limits the resources used by a container. Restricts what a container can use, and thus prevents infected containers from hogging all resources.
SELinux
Provides access control to the kernel. It enforces mandatory access control (MAC), which controls how containers access the kernel based on policies.
AppArmor
Enables access controls on processes. Can be set to enforce policies, or merely report on policy violations.
Seccomp
Allows processes to interact with the kernel in a “secure” state, where it can only make a few commands. If it goes beyond these commands, the process is killed.
Docker Hub Security Scanning
Scans images that have been downloaded from Docker Hub against a list of Common Vulnerabilities and Exposures (CVEs).
Docker Content Trust
Verifies images downloaded from third-party registries based on the author. The author of an image can be an individual or an organization.
Quay Security Scanner
Powered by CoreOS Clair, this is Quay’s version of Docker Security Scanning. It scans container images for vulnerabilities.
AWS ECR
Part of AWS ECS, ECR encrypts images at rest in S3, and in transit over HTTPS. It Uses AWS IAM to manage access control to the registry.
Docker Swarm Secrets Management
Provides a safe way to store passwords, tokens and other confidential data using Docker Swarm.
Kubernetes Security Context
Secures containers and pods in a Kubernetes cluster. Provides access control, and Linux kernel security modules like SELinux and AppArmor.
Project Calico
Secures the container network by providing policy-based security that ensures services can access only the services and resources they need and not more.
Weave
Enforces policy-based security for the container network, and provides a firewall for each container rather than firewalling the entire environment.
Canal
Integrates the security features of Project Calico and the connectivity features of Flannel to provide a comprehensive networking solution for containers.
Docker Bench
A script that checks containers in production against a list of benchmarks created by the CIS (Center for Internet Security).
Inspec
A test framework built by Chef that treats compliance and security as code. It scans images, and has its own version of Docker Bench.
AWS ECS
Runs containers inside a virtual machine, which provides the first layer of security. Also adds AWS security features like IAM, security groups, and network ACLs.
Azure Container Service
Has its own Azure Container Registry for scanning images, and leverages Azure’s default security features like IAM.
GKE
Adopts Kubernetes’ security features and adds some of its own Google Cloud security features like IAM and RBAC.
Twistlock
End-to-end security platform for containers. It leverages machine learning to automatically profile applications.
Aqua Security
End-to-end security platform for containers. It provides a mature API that can be easily extended.
Anchore
Scans container images, and enforces security policies for container platforms. Integrates with CI/CD workflows using Jenkins.
NeuVector
Secures container runtimes by enforcing policies for services. It can automatically start and stop containers based on automated whitelists.
Deepfence
CI/CD integrated security tool that protects against known attacks.
StackRox
Container security tool that leverages machine learning to provide what it calls “adaptive threat protection.”
Tenable
A hosted security solution that scans container images and even allows enterprises to enforce security policies on their environments.
Cavirin
A continuous security assessment tool that scans for vulnerabilities against the CIS benchmark, and more.
Compare architectures, feature sets, and usability of Kubernetes and Docker Swarm. Download the guide This is truly a diverse list of Docker security tools. What becomes clear when we view this list is that Docker security requires a combination of many tools working together. Each tool has its own strengths and focus areas. There are solutions available for every layer of the container stack—kernel, registries, network, orchestration, and CaaS platforms. And the best part is that most of these tools are great at integrating with each other, or at least the most commonly used tools in container workloads. By knowing each of the tools, and what makes them unique from the others, you can ensure a bulletproof container environment that can run production workloads at enterprise scale. That was always the promise of Docker, and container security tools are making that promise a reality. Twain began his career at Google, where, among other things, he was involved in technical support for the AdWords team. His work involved reviewing stack traces, and resolving issues affecting both customers and the Support team, and handling escalations. Later, he built branded social media applications, and automation scripts to help startups better manage their marketing operations. Today, as a technology journalist he helps IT magazines, and startups change the way teams build and ship applications.