When running Airlock IAM as a Docker container some additional security considerations should be respected for the operation of Docker as well as for the operation of Airlock IAM as Docker container.
General Docker Recommendations:
General Security Best Practices for running Docker as a Container Platform.
- Enable Docker Content Trust (DCT) and manage signing keys to ensure that only signed Docker images are used
- Do not expose the Docker API to prevent remote management of Docker images
- Enable SELinux or AppArmour to protect the Docker host against attacks
- Consider limitations on cpu, memory and disk to prevent DoS attacks on a Docker container to affect the Docker host running the container
- Use --security-opt=no-new-privileges Docker run parameter to prevent privilege escalation in the Docker host
Docker Recommendations for Airlock IAM:
Security Best Practices for running Airlock IAM as a Docker Container.
- Use -p INTERFACE_IP:port:8443 to expose Airlock IAM on one specific IP address and one specific port only