Extrem Secure Docker Image For Nginx — Kubernetets Hardening

There are a lot of ways to secure a container image for runtime :

  1. Inherit from a distroless image base
  2. Default user of image is not-root ( USER 1001)
  3. If the image expose a port, it must be above 1024 because ports under 1024 requires root.
  4. Files used by the main process must be owned by random user and root group (chown 1001:0)

I search on a Nginx image that complies with these criteria,

I found 2 images however .. :

  • docker.io/kyos0109/nginx-distroless : which focus only on the 1st way.
  • docker.io/nginxinc/docker-nginx-unprivileged: which focus on all ways except the first.

As consequence, I built a new image which leverages these two images and applies all security ways.

Then, the image has been created and you can use it :

docker pull abdennour/nginx-distroless-unprivileged:1.18

The user guide is available also. You can find there documentation and some examples about how to use the image, how to spin off containers out of it and how to extend it.

Happy hardening !

Happy kubing!

--

--

--

Software engineer, Cloud Architect, 5/5 AWS|GCP|PSM Certified, Owner of kubernetes.tn

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Dependency Injection in Nutshell with C#

Web Mining Courses From Coursera using Python 2020

Document your application with MkDocs

Implement different Apps in a project via different Schemes in Swift

Disassembling C++ Part 2 — (Objects)

Setting up OpenZeppelin for Solidity in your local environment with path remappings

Living with technical debt

Go + gRPC with Go kit

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abdennour Toumi

Abdennour Toumi

Software engineer, Cloud Architect, 5/5 AWS|GCP|PSM Certified, Owner of kubernetes.tn

More from Medium

How To Fix CVE-2022–20714- A Denial Of Service In ASR 9000 Series Routers

On premise kubernetes setup with metallb (layer 2) and nfs volume provisioner.

Create a Kubernetes Cluster in Play with Kubernetes

Simple App — Project Summary