10 Conquering container security with Docker

This chapter covers

Securing service-to-service communications with JWT and mTLS in a containerized environment
Managing secrets in a containerized environment
Signing and verifying Docker images with Docker Content Trust
Running Docker Bench for Security

The benefits of microservices architecture come at a cost. Unless you have the proper infrastructure to support microservices development and deployment with a CI/CD pipeline, chances are that you’ll more than likely fail to meet your objectives. Let us reiterate: one key objective of microservices architecture is the speed to production. With hundreds of microservices, management becomes a nightmare unless you have the right tools for automation. Packaging, distribution, and testing of microservices in various environments before getting into production in an efficient, less error-prone way is important.

Over time, Docker has become the most popular tool (or platform) for packaging and distributing microservices. It provides an abstraction over the physical machine. Docker not only packages your software, but all its dependencies too.

10.1 Running the security token service on Docker

10.2 Managing secrets in a Docker container

10.2.1 Externalizing secrets from Docker images

10.2.2 Passing secrets as environment variables

10.2.3 Managing secrets in a Docker production deployment

10.3 Using Docker Content Trust to sign and verify Docker images

10.3.1 The Update Framework

10.3.2 Docker Content Trust

10.3.3 Generating keys

10.3.4 Signing with DCT

10.3.5 Signature verification with DCT

10.3.6 Types of keys used in DCT

10.3.7 How DCT protects the client application from replay attacks

10.4 Running the Order Processing microservice on Docker

10.5 Running containers with limited privileges

10.5.1 Running a container with a nonroot user

10.5.2 Dropping capabilities from the root user

10.6 Running Docker Bench for security