Index

Using containers securely: Docker and Kubernetes best practices

Greg Foster
Greg Foster
Graphite software engineer
Try Graphite

Table of contents

Containerization offers developers portability, scalability, and efficiency—but it also introduces new security risks. This guide covers a range of best practices for securing Docker and Kubernetes environments, with real-world examples, clear definitions, and actionable steps. We'll also explore how code review and automation tools like Graphite can strengthen your container security pipeline.

Docker security fundamentals

Use trusted and minimal base images

Choose official or vendor-verified images, and avoid those containing unused packages. Enable Docker Content Trust to enforce signature verification:

Terminal
export DOCKER_CONTENT_TRUST=1

This reduces the risk of untrusted or malicious layers.

Avoid root privileges

Run containers as non-root whenever possible, and drop unnecessary Linux capabilities. A rootless user mitigates container breakout risks.

Use resource constraints and read-only filesystems

Employ cgroups to limit CPU/memory usage and mount filesystems read-only unless write access is needed.

Scan images for vulnerabilities

Scan both base and custom images using tools like Sysdig, Snyk, or Trivy within your CI/CD pipeline. Example: run Sysdig inline scan with GitHub Actions.

Avoid embedding secrets

Manage sensitive data like API keys using Docker secrets, AWS KMS, or HashiCorp Vault. Avoid baking them directly into images—studies find ~8.5% of public images leak secrets.

Kubernetes security best practices

Control access to the API server

Restrict API server exposure to internal VPC, bastion, or VPN tunnels. Ensure TLS is used for all pods and components.

Implement RBAC with least privilege

Define granular roles for both users and service accounts. Avoid unnecessary permissions and exclude service tokens unless needed.

Enforce pod security standards and admission controllers

Use Pod Security Admission or Gatekeeper OPA policies to disallow privilege escalations and enforce baseline configurations.

Isolate workloads

Leverage namespaces, network policies, and optionally service meshes (e.g., Istio) to segment traffic and enforce east-west restrictions.

Monitor runtime behavior and audit logs

Scan running containers for anomalies and enable audit logging for all API requests to investigate incidents.

Update components regularly

Track Kubernetes versions and patch both the control plane and nodes—vulnerabilities are continuously discovered.

Secure development lifecycle

Security needs to start before deployment.

Integrate code and dependency scanning

Use SAST tools like Gosec, SonarQube for code, and Snyk or OWASP Dependency-Check for third-party packages. Integrate these steps into pull request pipelines to block builds on failures.

Image scanning as a gate

Automatically block un-scanned or non-compliant images via registry or Kubernetes admission hooks.

Use case: containerized web application

  1. Developer writes Go app; pushes code.
  2. CI pipeline runs Gosec; fails if findings.
  3. Builds Docker image using FROM alpine:3.18 → image scan flagged CVE via Trivy.
  4. Patched and pushed; image stored in private, signed registry.
  5. Deployment using Kubernetes with Pod Security Admission, RBAC, network policy applied.
  6. Runtime agent alerts on anomalous outbound connection.

This pipeline enforces security at every stage—from dev to runtime.

Reviewing infrastructure code with Graphite

Graphite is a modern code review platform that helps streamline pull request workflows and prevent insecure patterns early.

  • Stacked PRs: Break changes into small, discrete reviews—ideal for complex container code, Dockerfiles, or Kubernetes manifests.
  • Automated review suggestions: Graphite's AI code review tool Diamond can flag misconfigurations or missing checks, catching security flaws before merging.
  • Centralized review inbox: Gives visibility into the status of your reviews and CI.

Using Graphite alongside static analysis and scanning means insecure changes don't slip in undetected—reducing the blast radius of container misconfigurations.

Summary and recommendations

StageKey action
BuildUse trusted minimal images, non-root, resource limits
ScanIntegrate code, dependency, image scans in CI/CD
DeployRestrict API, use RBAC, namespaces, network policies
RuntimeLog, monitor, update components
ReviewEmploy Graphite for layered, automated code reviews

By combining Docker and Kubernetes best practices with robust code review processes—augmented by tools like Graphite—you can build and operate container platforms with confidence and efficiency.

Next steps

  • Audit current container images for vulnerabilities and secret leaks.
  • Define and apply Kubernetes pod security and network policies.
  • Plug Graphite into your existing GitHub/GitLab flow to tighten code review hygiene early in container lifecycles.

With these practices in place, you'll be able to confidently ship containerized workloads at scale, securely and reliably.

Related guides

Balancing code quality and delivery speed in software teams

This guide explores current and timeless best practices to optimize code standards and team producti...

Writing a code of conduct for code review feedback

This post provides a detailed guide on how to create an effective code of conduct for code review fe...

Scaling code reviews in large engineering teams

This guide explains how to effectively scale code reviews in large engineering teams, including best...

Last modified about 1 month ago

0 min read
On this page
Share
Git inspired
Graphite's CLI and VS Code extension make working with Git effortless.
Learn more

Built for the world's fastest engineering teams, now available for everyone

Request a demo
Start free trial