chapter ten

10 Conquering container security with Docker

This chapter covers

Securing service to service communication with JWT and mutual transport layer security (mTLS) in a containerized environment
Managing secrets in a containerized environment
Signing and verifying Docker images with Docker Content Trust (DCT)
Running Docker Bench for security

10.1 Running Security Token Service on Docker to issue a JSON Web Token

10.2 Managing secrets in a Docker container

10.2.1 Externalizing secrets from Docker images

10.2.2 Passing secrets as environment variables

10.2.3 Managing secrets in a Docker production deployment

10.3 Using Docker Content Trust (DCT) to sign and verify Docker images

10.3.1 The Update Framework (TUF)

10.3.2 Docker Content Trust

10.3.3 Generating keys

10.3.4 Signing with Docker Content Trust

10.3.5 Signature verification with Docker Content Trust

10.3.6 Type of keys used in Docker Content Trust

10.4 Running the Order Processing microservice on Docker

10.5 Running containers with limited privileges

10.5.1 Running a container with a non-root user

10.5.2 Dropping capabilities from the root user

10.6 Running Docker Bench for security

10.7 Securing access to Docker host

10.7.1 Enabling remote access to Docker daemon

10.7.2 Enabling mTLS at the Nginx server to secure access to Docker APIs

10.8 Security beyond containers

10.9 Summary

@font-face { font-family: 'livebook'; src:url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.eot?1.9.0'); src:url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.eot?1.9.0') format('embedded-opentype'), url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.woff?1.9.0') format('woff'), url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.ttf?1.9.0') format('truetype'), url('https://d19npu3b8zepp3.cloudfront.net/assets/fonts/livebook.svg?1.9.0') format('svg'); font-weight: normal; font-style: normal; }