For a more thorough checklist please refer to the latest Docker CIS benchmark
- Ensure you patch your Docker daemon/containerd etc to protect against escape CVEs such as
- CVE-2019-5736
- CVE-2019-14271
- CVE-2020–15257
- Follow appropriate Docker security updates
- Conduct image vulnerability scanning using an appropriate scanner such as Anchore, Claire or Trivy.
- Use only trusted images and consider utilising Docker content trust
- Do not run containers as root users
- Utilise user namespaces
- Do not use host network mode.
- Do not use privileged mode.
- Drop capabilities if they're not needed
- Do not mount the Docker unix socket in your containers (/var/run/docker.sock)
- Consider read-only container filesystems.
- Ensure your containers log to an appropriate log driver and ensure this is being appropriately monitored.
- Use rootless Docker (experimental)
- Use SELinux/apparmor etc
- Take care to protect /var/run/docker.sock with appropriate filesystem protects.
- Do not grant permissions to the Docker group unless you are OK with that user being root
- Do not expose the TCP Docker socket publicly.
- Protect the TCP socket with HTTPS
- Implement an authorisation/authentication solution for this.
- Consider using Kaniko to build your containers in userspace.