A Practical Guide to Writing Secure Dockerfiles - WeAreDevelopers Container Day 2021

Transcript

1. A Practical Guide to Writing Secure Dockerfiles WeAreDevelopers Live –

   Container Day Madhu Akula

2. About Me • Security Engineering @ Miro • Creator of

   Kubernetes Goat, Hacker Container, tools.tldr.run, many other… • Security (CloudNative, Containers, Kubernetes, Automation) • Speaker & Trainer @ BlackHat, DEFCON, USENIX, OWASP, All Day DevOps, GitHub, DevSecCon, c0c0n, Nullcon, null, many other… • Co-Author of Security Automation with Ansible 2 • Technical reviewer of Learn Kubernetes Security • Never Ending Learner! @madhuakula https://madhuakula.com 2

3. What will you learn? • What is Dockerfile? • Why

   security of Dockerfiles? • Best practices for writing Dockerfiles • Linters, tools, techniques to validate ◦ buildkit, dockle, hadolint, docker-slim, dive, plugins, etc. • Introducing OPA, Rego & Conftest • docker-security-checker • Why custom security policies? • Next steps • Resources & Reference @madhuakula 3

4. What is Docker? @madhuakula • Docker is an open source

   platform for building, deploying, and managing containerized applications • Docker became the de facto standard to build and share containerized apps - from desktop, to the cloud, even edge devices • Docker enables developers to easily pack, ship, and run any application as a lightweight, portable, self-sufficient container, which can run virtually anywhere • Docker can build images automatically by reading the instructions from a Dockerfile 4

5. What is Dockerfile? https://github.com/dockersamples/example-voting-app/blob/master/vote/Dockerfile A Dockerfile is a text document

   that contains all the commands a user could call on the command line to assemble an image. @madhuakula 5

6. • Dockerfiles are blueprint for building your docker container images

   • Dockerfiles are codified version of what your application & infrastructure • It is one of the key component for the entire supply chain security • To maintain the highest level of security from the ground up • Many possible security issues can happen due to insecure Dockerfiles Why should we focus on Dockerfile security? @madhuakula 6

7. Dockerfile best practices from Docker itself • Start with small

   version of the image • Create ephemeral containers • Understanding the build context • Exclude files with .dockerignore like .gitignore • Use multi stage builds - Only we need artifacts and reduce attack surface • Don’t install unnecessary packages • Minimize number of layers • Create multi-line arguments in structured way and reduce the image layers • Leverage the build cache • Create your own base image like golden image https://docs.docker.com/develop/develop-images/dockerfile_best-practices/ @madhuakula 7

8. Generic Best Practices • Order of the steps in Dockerfile

   (least to most frequently changing content) • COPY only specific files required rather everything (don’t do COPY . . ) • Perform same commands (RUN apt-get update && apt-get install -y curl) • Only install what we need (--no-install-recommends) • Remove package manager cache (&& rm -rf /var/lib/apt/lists/*) • Don’t use latest tag (be specific with with image tag) • Non root user and group • Disallow acquiring new privileges • Only trusted and official base images • Minimal base images, don’t include not required software, packages, etc. • Don’t store secrets or sensitive information in Dockerfiles, file/directories • Don’t install SSH or similar services and expose your containers • Image lifecycle management, updates if required • Many others... @madhuakula 8

9. Generic Best Practices - Example Dockerfile https://github.com/hexops/dockerfile/blob/main/Dockerfile @madhuakula 9

10. BuildKit BuildKit is a toolkit for converting source code to

    build artifacts in an efficient, expressive and repeatable manner. • From release of Docker 20.10 (Stable of BuildKit) • Now by default enabled in latest release (export DOCKER_BUILDKIT=1) • It improves a lot of performance, security features BuildKit has support for securely passing secrets, forwarding SSH authentication agent from the host to the Docker build. https://docs.docker.com/develop/develop-images/build_enhancements @madhuakula 10

11. BuildKit - Security Use Case (Secrets usage in build) Passing

    the secrets to the Dockerfile rather hard coding or buildargs using BuildKit NO NO @madhuakula 11

12. BuildKit - Security Use Case (SSH Socket) Passing the SSH

    socket with mount by forwarding the SSH from host using BuildKit NO @madhuakula 12

13. hadolint - Haskell Dockerfile Linter A smarter Dockerfile linter that

    helps you build best practice Docker images. The linter is parsing the Dockerfile into an AST and performs rules on top of the AST. It is standing on the shoulders of ShellCheck to lint the Bash code inside RUN instructions. https://hadolint.github.io/hadolint/ @madhuakula 13

14. hadolint in action @madhuakula 14

15. dockle Container Image Linter for Security, Helping build the Best-Practice

    Docker Image, Easy to start https://github.com/goodwithtech/dockle @madhuakula 15

16. dockle - CIS Benchmark Checks @madhuakula 16

17. dockle - Checks @madhuakula 17

18. DockerSlim - Minify and Secure Docker Containers https://dockersl.im @madhuakula 18

19. DockerSlim - Usage and Features https://dockersl.im @madhuakula 19

20. DockerSlim - Security Profiles • The goal is to auto-generate

    Seccomp, AppArmor, (and potentially SELinux) profiles based on the collected information ◦ AppArmor Profiles ◦ Seccomp Profiles • Generating the Seccomp profiles (I have tried it, doesn’t work for all cases) ◦ Run DockerSlim ▪ docker-slim build your-name/your-app ◦ Use the generated Seccomp profile ▪ docker run --security-opt seccomp:<docker-slim directory>/.images/<YOUR_APP_IMAGE_ID>/artifacts/your-name-your-app-seccomp.jso n <your other run params> your-name/your-app https://github.com/docker-slim/docker-slim @madhuakula 20

21. dive A tool for exploring a docker image, layer contents,

    and discovering ways to shrink the size of your Docker/OCI image. https://github.com/wagoodman/dive @madhuakula 21

22. Your code editor linters https://marketplace.visualstudio.com/items?itemName=henriiik.docker-linter @madhuakula 22

23. Open Policy Agent is a Policy-based control for cloud native

    environments. OPA is an open source, general-purpose policy engine that unifies policy enforcement across the stack. It provides a high-level declarative language that lets you specify policy as code and simple APIs to offload policy decision-making from your software. Introducing OPA https://www.openpolicyagent.org @madhuakula 23

24. • OPA policies are expressed in a high-level declarative language

    called Rego. Rego (pronounced “ray-go”) is purpose-built for expressing policies over complex hierarchical data structures • Rego was inspired by Datalog, which is a well understood, decades old query language. Rego extends Datalog to support structured document models such as JSON • Rego queries are assertions on data stored in OPA. These queries can be used to define policies that enumerate instances of data that violate the expected state of the system Introduction to rego policies @madhuakula 24

25. Sample Rego policy example https://play.openpolicyagent.org/ @madhuakula 25

26. Conftest is a utility to help you write tests against

    structured configuration data. For instance you could write tests for your Kubernetes configurations, Terraform code, Serverless configs or any other structured data. In our context, we will use it to write validation policies for Dockerfiles. Conftest relies on the Rego language from Open Policy Agent for writing the assertions. What is conftest? https://www.conftest.dev/ @madhuakula 26

27. • YAML • JSON • INI • TOML • HOCON

    • HCL • HCL 2 • CUE • Dockerfile • EDN • VCL • XML • Jsonnet Supported formats by Conftest https://www.conftest.dev/ @madhuakula 27

28. Sample Dockerfile https://github.com/madhuakula/docker-security-checker/blob/master/Dockerfile @madhuakula 28

29. Policy for checking ADD usage instead of COPY Here in

    the below example input contains the Dockerfile in a JSON format and we are looking for any command we find ADD and if we find in the Dockerfile we are returning the deny message. warn[msg] { input[i].Cmd == "add" val := concat(" ", input[i].Value) msg = sprintf("Use COPY instead of ADD: %s", [val]) } @madhuakula 29

30. Running docker-security-checker @madhuakula 30 https://github.com/madhuakula/docker-security-checker

31. Why custom policies? deny[msg] { input[i].Cmd == "from" image :=

    input[i].Value not startswith(image, "exampletrustedregistry.com/") msg := sprintf("Base image '%v' is used from untrusted registry", [image]) } • Most organisations have common patterns across their workflows • Some policies can be custom to their organisation, for example the below policy showcase that any base image not from exampletrustedregistry.com not allowed ◦ Using these simple but powerful policies can easily prevent using untrusted images directly from the public registries and only allow developers and users to use internal private registries @madhuakula 31

32. Try it out yourself https://katacoda.com/madhuakula/scenarios/docker-security-checker @madhuakula 32

33. Next steps • Try possible following the best practices when

    writing itself by using linters • You can also use these check in your GitOps workflow, part of your git hooks • You can create and standardise organisation wide custom policies as required for your workflow • Adding these checks in CI/CD pipelines as part of your workflow will enable and validate security best practices • Go beyond Dockerfiles and implement at each layer of your workflows @madhuakula 33

34. Are you interested to learn more tools around security? https://tools.tldr.run

    @madhuakula 34

35. • https://docs.docker.com/engine/reference/builder • Dockerfile Best Practices talk at dockercon 19

    • https://docs.docker.com/develop/develop-images/dockerfile_best-practices • https://github.com/hexops/dockerfile • https://engineering.bitnami.com/articles/best-practices-writing-a-dockerfile.html • https://snyk.io/blog/10-docker-image-security-best-practices • https://pythonspeed.com/docker/ • https://github.com/moby/buildkit • https://github.com/goodwithtech/dockle • https://github.com/hadolint/hadolint • https://github.com/docker-slim/docker-slim • https://www.openpolicyagent.org • https://play.openpolicyagent.org • https://www.conftest.dev • https://github.com/madhuakula/docker-security-checker References & Resources @madhuakula 35

36. Thank You! Madhu Akula https://madhuakula.com 36