π Daftar Isi
1. Pengenalan Container Security
Container Security mencakup praktik, tools, dan kebijakan untuk melindungi containerized applications sepanjang lifecycle β dari build, deploy, hingga runtime. Container membawa tantangan keamanan unik karena sharing kernel, ephemeral nature, dan jumlah yang sangat banyak.
π Container Security Lifecycle
- Build β Secure Dockerfile, base image, dependency scanning
- Ship β Image signing, registry security, vulnerability scanning
- Run β Runtime policies, network segmentation, resource limits
- Monitor β Audit logging, anomaly detection, compliance
Container Attack Vectors
Diagram: Container Attack Surface
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β CONTAINER ATTACK SURFACE β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β Supply β β Containerβ β Host β β β β Chain β β Runtime β β Escape β β β β β β β β β β β β β’ Malwareβ β β’ RCE β β β’ Kernel β β β β in img β β β’ Crypto β β exploit β β β β β’ Backdorβ β mining β β β’ Mount β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β Orchest- β β Network β β Secrets β β β β ration β β β β Exposure β β β β β’ RBAC β β β’ Lateralβ β β’ Env var β β β β bypass β β move β β β’ Config β β β ββββββββββββ ββββββββββββ ββββββββββββ β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
2. Dockerfile Security
Dockerfile adalah fondasi keamanan container. Kesalahan pada Dockerfile dapat menghasilkan image yang rentan.
Dockerfile β Secure Best Practices
# ============================================= +# Secure Dockerfile β Best Practices +# ============================================= +# 1. Specific base image tag (bukan latest) +FROM python:3.12-slim-bookworm AS builder +# 2. Non-root user +RUN groupadd -r appuser && useradd -r -g appuser appuser +# 3. Pin dependency versions +COPY requirements.txt . +RUN pip install --no-cache-dir -r requirements.txt +# 4. Multi-stage build +FROM python:3.12-slim-bookworm +COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages +# 5. Copy only necessary files +COPY --chown=appuser:appuser ./app /app +WORKDIR /app +# 6. Remove unnecessary packages +RUN apt-get remove -y gcc g++ && \ + apt-get autoremove -y && \ + rm -rf /var/lib/apt/lists/* +# 7. Non-root user +USER appuser +EXPOSE 8080 +HEALTHCHECK --interval=30s --timeout=3s \ + CMD curl -f http://localhost:8080/health || exit 1 +CMD ["python", "main.py"] +# YANG HARUS DIHINDARI: +# β ENV DB_PASSWORD=secret123 +# β COPY . . (termasuk .git, secrets) +# β USER root atau tanpa USER directive +# β CMD python main.py (shell form)
3. Image Scanning
Image scanning mengidentifikasi CVE dalam base image dan dependencies. Harus dilakukan di setiap stage: development, CI/CD, registry, dan runtime.
Bash β Container Image Scanning
# ============================================= +# Container Image Scanning +# ============================================= +# 1. Trivy β Scanner dari Aqua Security +trivy image myapp:latest +trivy image --severity HIGH,CRITICAL myapp:latest +trivy image --format json -o results.json myapp:latest +# 2. Scan Dockerfile misconfigurations +trivy config Dockerfile +trivy config --severity HIGH,CRITICAL ./k8s-manifests/ +# 3. Grype dari Anchore +grype myapp:latest +# 4. Docker Scout (built-in) +docker scout cves myapp:latest +# 5. Scan SBOM +trivy sbom --format spdx-json myapp:latest > sbom.json +syft myapp:latest -o spdx-json > sbom.json +# 6. CI/CD Pipeline integration +# aquasecurity/trivy-action di GitHub Actions +# dengan exit-code: '1' untuk fail on critical
4. Runtime Security
Runtime security melindungi container saat berjalan β resource limits, filesystem protection, syscall filtering, behavioral monitoring.
Bash β Docker Runtime Security
# ============================================= +# Docker Runtime Security Configuration +# ============================================= +# 1. Read-only filesystem +docker run --read-only --tmpfs /tmp myapp:latest +# 2. Drop all capabilities, add only needed +docker run --cap-drop ALL \ + --cap-add NET_BIND_SERVICE myapp:latest +# 3. No new privileges +docker run --security-opt no-new-privileges myapp:latest +# 4. Resource limits +docker run --memory=512m --cpus=0.5 \ + --pids-limit=100 myapp:latest +# 5. Seccomp profile +docker run --security-opt seccomp=custom.json myapp:latest +# 6. AppArmor profile +docker run --security-opt apparmor=docker-custom myapp:latest +# 7. Falco runtime monitoring +helm install falco falcosecurity/falco
5. Kubernetes Security
Kubernetes menambahkan layer keamanan orkestrasi: RBAC, network policies, pod security standards, admission controllers.
YAML β K8s Security Manifests
# =============================================
+# Kubernetes Security Best Practices
+# =============================================
+# Restricted Pod Security
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: secure-app
+spec:
+ template:
+ spec:
+ securityContext:
+ runAsNonRoot: true
+ runAsUser: 1000
+ seccompProfile:
+ type: RuntimeDefault
+ containers:
+ - name: app
+ image: myapp:v1.2.3
+ securityContext:
+ allowPrivilegeEscalation: false
+ readOnlyRootFilesystem: true
+ capabilities:
+ drop: ["ALL"]
+ resources:
+ limits:
+ memory: "256Mi"
+ cpu: "500m"
+ requests:
+ memory: "128Mi"
+ cpu: "250m"
+# Network Policy β Zero Trust
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+ name: default-deny-all
+spec:
+ podSelector: {}
+ policyTypes:
+ - Ingress
+ - Egress
+# RBAC β Least Privilege
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: app-reader
+rules:
+ - apiGroups: [""]
+ resources: ["pods", "services"]
+ verbs: ["get", "list", "watch"]
6. Container Network Security
Network segmentation mencegah lateral movement. Gunakan network policy, service mesh, dan mTLS.
YAML β Istio mTLS
# Istio mTLS β Enforce encrypted communication +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: default + namespace: production +spec: + mtls: + mode: STRICT +# Authorization policy +apiVersion: security.istio.io/v1beta1 +kind: AuthorizationPolicy +metadata: + name: frontend-to-backend +spec: + selector: + matchLabels: + app: backend + rules: + - from: + - source: + principals: ["cluster.local/ns/production/sa/frontend"] + to: + - operation: + methods: ["GET", "POST"] + paths: ["/api/*"]
7. Secrets Management
Jangan menyimpan secrets dalam code, env vars plain text, atau ConfigMap. Gunakan external secrets manager.
YAML β External Secrets
# External Secrets Operator β Vault Integration +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: app-secrets +spec: + refreshInterval: 1h + secretStoreRef: + name: vault-backend + kind: SecretStore + target: + name: app-secrets + creationPolicy: Owner + data: + - secretKey: db-password + remoteRef: + key: secret/data/myapp + property: db_password
8. Compliance & Audit
Bash β Docker CIS Benchmark
# Docker CIS Benchmark Audit +docker run --rm --net host --pid host \ + -v /var/run/docker.sock:/var/run/docker.sock \ + docker/docker-bench-security +# Kubernetes CIS +kubectl apply -f https://raw.githubusercontent.com/aquasecurity/kube-bench/main/job.yaml +# Trivy compliance +trivy k8s --compliance=cis cluster +trivy k8s --compliance=nsa cluster
Supply Chain Security
Supply chain attacks pada container ecosystem terjadi ketika komponen yang dipercaya (base image, dependency, registry) dikompromikan. SolarWinds dan Codecov adalah contoh supply chain attacks besar.
Diagram: Container Supply Chain
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ β CONTAINER SUPPLY CHAIN β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β Base β β Package β β App β β β β Image βββββΆβ Manager βββββΆβ Code β β β β (OS) β β (pip/npm)β β β β β ββββββββββββ ββββββββββββ ββββββββββββ β β β β β β β βΌ βΌ βΌ β β ββββββββββββββββββββββββββββββββββββββββββββ β β β Dockerfile β β β β (Build instructions) β β β ββββββββββββββββββββββββ¬ββββββββββββββββββββ β β βΌ β β ββββββββββββββββββββββββββββββββββββββββββββ β β β Container Image β β β β ββββββββ ββββββββ ββββββββ β β β β βLayer1β βLayer2β βLayer3β ... β β β β β(OS) β β(deps)β β(app) β β β β β ββββββββ ββββββββ ββββββββ β β β ββββββββββββββββββββββββ¬ββββββββββββββββββββ β β βΌ β β ββββββββββββββββββββββββββββββββββββββββββββ β β β Container Registry β β β β (DockerHub, ECR, GCR, Harbor) β β β ββββββββββββββββββββββββββββββββββββββββββββ β β β β β οΈ ATTACK POINTS: β β β’ Poisoned base image β β β’ Malicious dependency (typosquatting) β β β’ Compromised build pipeline β β β’ Registry tampering β β β’ Signed image bypass β βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Image Signing with Cosign
Bash β Container Image Signing
# ============================================= +# Container Image Signing & Verification +# ============================================= +# 1. Install cosign (Sigstore) +go install github.com/sigstore/cosign/v2/cmd/cosign@latest +# 2. Generate keypair +cosign generate-key-pair +# 3. Sign image +cosign sign --key cosign.key registry.example.com/myapp:v1.0 +# 4. Verify signature +cosign verify --key cosign.pub registry.example.com/myapp:v1.0 +# 5. Sign with keyless (OIDC identity) +cosign sign registry.example.com/myapp:v1.0 +# Uses Fulcio for short-lived certificates +# Uses Rekor for transparency log +# 6. Enforce signature verification in K8s +# Kyverno policy: +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: verify-image-signatures +spec: + validationFailureAction: enforce + rules: + - name: verify-cosign-signature + match: + resources: + kinds: ["Pod"] + verifyImages: + - imageReferences: ["registry.example.com/*"] + attestors: + - entries: + - keys: + publicKeys: |- + -----BEGIN PUBLIC KEY----- + ... + -----END PUBLIC KEY-----
Container Forensics
Ketika container terkompromi, forensik container berbeda dari tradisional karena sifat ephemeral container. Evidence collection harus dilakukan sebelum container dihapus.
Bash β Container Forensics
# ============================================= +# Container Incident Response & Forensics +# ============================================= +# 1. Snapshot container filesystem (sebelum dihapus) +docker commit suspicious-container forensic-image:v1 +docker save forensic-image:v1 -o forensic-image.tar +# 2. Export container filesystem +docker export suspicious-container -o container-fs.tar +mkdir /forensics/container && tar xf container-fs.tar -C /forensics/container +# 3. Capture container memory +docker exec suspicious-container sh -c 'cat /proc/*/maps' > mem-maps.txt +# Or use AVML for memory capture +docker cp suspicious-container:/proc /forensics/proc +# 4. Collect container logs +docker logs suspicious-container > container-logs.txt 2>&1 +# 5. Network forensics +docker exec suspicious-container ss -tulnp > network-connections.txt +docker exec suspicious-container cat /etc/resolv.conf > dns-config.txt +# 6. Process forensics +docker top suspicious-container > process-list.txt +docker exec suspicious-container ps auxf > process-tree.txt +# 7. Analyze image layers +dive forensic-image:v1 +# Check each layer for suspicious additions +# 8. Timeline reconstruction +# Correlate timestamps from: +# - Container logs +# - Host audit logs (auditd) +# - Network flow logs +# - SIEM alerts
Container Monitoring with Prometheus
Container monitoring mendeteksi anomali runtime seperti resource abuse, suspicious process, dan network activity yang tidak biasa.
YAML β Container Monitoring
+# Prometheus alerts for container security
+groups:
+ - name: container-security
+ rules:
+ - alert: ContainerHighCPU
+ expr: container_cpu_usage_seconds_total > 0.9
+ for: 5m
+ labels:
+ severity: warning
+ annotations:
+ summary: "Container {{ $labels.name }} high CPU"
+ - alert: ContainerPrivilegeEscalation
+ expr: container_security_privileged == 1
+ labels:
+ severity: critical
+ annotations:
+ summary: "Privileged container detected"
+ 9. Quiz Pemahaman
1. Mengapa container harus non-root?
2. Fungsi image scanning?
3. Apa yang dilakukan '--cap-drop ALL'?
4. Mengapa 'latest' tag tidak untuk production?
5. Tool CIS benchmark audit untuk Docker?
Rangkuman
π Poin Penting
- Dockerfile β Fondasi keamanan β multi-stage, non-root, pin versions
- Image Scanning β Scan CVE di setiap stage: build, CI, registry, runtime
- Runtime β Capabilities, seccomp, read-only fs, resource limits
- K8s Security β Pod Security Standards, NetworkPolicy, RBAC
- Secrets β Gunakan External Secrets Operator, bukan env vars