tbhaxor · May 18, 2022 14:03
diff --git a/docker-best-practices.txt b/docker-best-practices.txt
 # docker engine
 docker unix socket should be runnining on with approperiate permissions, root user and docker group
 allow only authorized users to have the
 tcp and unix can run in both mode
 unix socket is more secure if private docker setup
 expose tcp socket with authentication and tls certs
 implement firewall plugin and configure it properly

 # in container
 do not give excesive capabilities or privileged access
 refrain bind mounts, use volumnes
 do not run with root user (if vulnerability found hard for escape)
 do not mount docker socket or tcp inside container
 user namespace remapping (mapping user id 0 from container to some random non-existing uid on host)
 configure apparmor and secomp confined container

 # for registry
 trust the docker registry content using export DOCKER_CONTENT_TRUST=1
 encrypt registry data with tls and add basic authentication
	# docker engine
	docker unix socket should be runnining on with approperiate permissions, root user and docker group
	allow only authorized users to have the
	tcp and unix can run in both mode
	unix socket is more secure if private docker setup
	expose tcp socket with authentication and tls certs
	implement firewall plugin and configure it properly

	# in container
	do not give excesive capabilities or privileged access
	refrain bind mounts, use volumnes
	do not run with root user (if vulnerability found hard for escape)
	do not mount docker socket or tcp inside container
	user namespace remapping (mapping user id 0 from container to some random non-existing uid on host)
	configure apparmor and secomp confined container

	# for registry
	trust the docker registry content using export DOCKER_CONTENT_TRUST=1
	encrypt registry data with tls and add basic authentication