Just found this, it’s a must read for everyone connecting containers to the Internet.
The aim of this cheat sheet is to provide an easy to use list of common security mistakes and good practices that will help you secure your Docker containers.
- Keep Host and Docker up to date
- Do not expose the Docker daemon socket (even to the containers)
- Set a user
- Limit capabilities (Grant only specific capabilities, needed by a container)
- Add –no-new-privileges flag
- Disable inter-container communication (–icc=false)
- Use Linux Security Module (seccomp, AppArmor, or SELinux)
- Limit resources (memory, CPU, file descriptors, processes, restarts)
- Set filesystem and volumes to read-only
- Use static analysis tools
- Set the logging level to at least INFO
- Lint the Dockerfile at build time