cloud-native-microservices-security
  • Introduction
  • Introduction
    • Requirements and Setup
    • Demo Application Architecture
  • Hands-On Labs
    • 1.Security via Spring Boot Auto-Configuration
    • 2.Customized Authentication
    • 3.Mutual TLS (MTLS)
    • 4.Authorization
    • 5.Automated Testing
    • 6.Kubernetes Security
      • 6.1.Docker as Root
      • 6.2.Docker as NonRoot
      • 6.3.Kubernetes Deployment
      • 6.4.Kubernetes Pod Security Context
      • 6.5.Kubernetes Pod Security Policies
  • Bonus Labs
    • CSRF Attack Demo
    • Web Authn
Powered by GitBook
On this page
  • Java Base Images
  • Standard Dockerfile
  • Runs with Root by default
  • Linux capabilities
  • Check image for Vulnerabilities
  • Next

Was this helpful?

  1. Hands-On Labs
  2. 6.Kubernetes Security

6.1.Docker as Root

Previous6.Kubernetes SecurityNext6.2.Docker as NonRoot

Last updated 5 years ago

Was this helpful?

This demo builds a standard docker image from the demo application just using a standard Dockerfile. For details on the demo application see .

Java Base Images

Standard Dockerfile

FROM openjdk:11.0.6-jre-buster
COPY step2-hello-root-1.0.0-SNAPSHOT.jar app.jar
EXPOSE 8080
ENTRYPOINT java -jar /app.jar

Runs with Root by default

When using defaults for building a container image the container will run using the root user by default.

You can prove this by using these commands:

docker container run --rm --detach --name hello-root \
-p 9090:9090 andifalk/library-server-container-root:latest
docker exec hello-root whoami

This should return the following user information (it really is root)

root

Finally stop the running container by using the following command:

docker stop hello-root

Linux capabilities

Docker runs with a balanced set of capabilities between security and usuablity of containers. You can print the default capabilities by using this command:

docker container run --rm -it alpine sh -c 'apk add -U libcap; capsh --print'

If you even run the container in privileged mode (you should usually never do that) then you get full privileged root access with all linux capabilities set:

docker container run --privileged --rm -it alpine sh -c 'apk add -U libcap; capsh --print'

In privileged mode you can for example list and change partition tables:

docker container run --privileged --rm -it alpine sh -c 'apk add -U libcap; capsh --print; fdisk -l'
docker container run --cap-drop=ALL --cap-add=net_bind_service --rm -it alpine sh -c 'apk add -U libcap; capsh --print'

Check image for Vulnerabilities

Now we can check our image for vulnerabilities with critical severities using this command:

trivy --severity CRITICAL andifalk/hello-root:latest

Next

You should also be able to reach the dockerized application via .

Usually you even don't need the default capabilities defined by docker. A common use case is to run a container listening on a , e.g. using a http server. For this you just need the capability CAP_NET_BIND_SERVICE:

hello spring boot application
OpenJDK
AdoptJDK
Google Distroless
Amazon Corretto
localhost:8080
privileged tcp port (below 1024)
Next: Rootless Container