← Back to blog

Container Security Fundamentals

security containers kubernetes

Running containers in production requires a layered approach to security. Here are the fundamentals every team should have in place.

Image Security

Start with trusted base images and scan them continuously:

  • Use minimal base images (distroless, scratch, Alpine)
  • Pin image digests instead of mutable tags
  • Scan images in CI with tools like Trivy or Grype
  • Sign images with cosign for supply chain integrity

Runtime Security

Limit what containers can do at runtime:

  • Drop all Linux capabilities and add back only what’s needed
  • Run as non-root with read-only root filesystems
  • Use seccomp and AppArmor profiles
  • Set resource limits to prevent DoS
securityContext:
  runAsNonRoot: true
  readOnlyRootFilesystem: true
  allowPrivilegeEscalation: false
  capabilities:
    drop: ["ALL"]

Network Policies

Default-deny network policies are your first line of defense. Only allow the traffic your application actually needs.

Secrets Management

Never bake secrets into images. Use Kubernetes secrets with encryption at rest, or better yet, external secret stores like HashiCorp Vault.

Continuous Monitoring

Security isn’t a one-time setup. Implement runtime monitoring with Falco or similar tools to detect anomalous behavior in production.