Security considerations Docker container usage

When running Airlock IAM as a Docker container some additional security considerations should be respected for the operation of Docker as well as for the operation of Airlock IAM as Docker container.

General Docker Recommendations:

General Security Best Practices for running Docker as a Container Platform.

  • Enable Docker Content Trust (DCT) and manage signing keys to ensure that only signed Docker images are used
  • Do not expose the Docker API to prevent remote management of Docker images
  • Enable SELinux or AppArmour to protect the Docker host against attacks
  • Consider limitations on cpu, memory and disk to prevent DoS attacks on a Docker container to affect the Docker host running the container
  • Use --security-opt=no-new-privileges Docker run parameter to prevent privilege escalation in the Docker host

Docker Recommendations for Airlock IAM:

Security Best Practices for running Airlock IAM as a Docker Container.

  • Use -p INTERFACE_IP:port:8443 to expose Airlock IAM on one specific IP address and one specific port only