• 0216 210 0483
  • Küçükbakkalköy Mah. Çandarlı Sk No :7 Ekşioğlu Plaza Kat:3 Daire:18 Ataşehir/İSTANBUL
logo
profile-image
profile-image
profile-image
profile-image
profile-image
profile-image

Qloud Computing: The Technology Of Inspiration

Contact Info

2118 Thornridge Cir. Syracuse, Connecticut 35624

+1-202-555-0104

[email protected]

STAY CONNECTED
Copyright ©2024 Design & Developed By IQONIC DESIGN
Docker Security: Container Image'larınızı Nasıl Güvende Tutarsınız?

Docker Security: Container Image'larınızı Nasıl Güvende Tutarsınız?

Docker Security: Container Image'larınızı Nasıl Güvende Tutarsınız?

Container security sadece "latest image kullanmayın" değil. Production'da çalışan container'ların %70'inde critical/high severity vulnerability var (2024 Snyk report). Nasıl önlersiniz?

1. Base Image Seçimi: Küçük = Güvenli

❌ Kötü:

FROM ubuntu:latest
RUN apt-get update && apt-get install -y python3 ...

Ubuntu full image: 77MB, 100+ packages, 50+ potential CVEs.

✅ İyi:

FROM python:3.11-slim
# veya daha iyi:
FROM python:3.11-alpine

Alpine: 5MB, minimal packages, attack surface küçük.

🔥 En İyi: Distroless

FROM gcr.io/distroless/python3

Shell yok, package manager yok, sadece runtime. RCE exploit çalışmaz.

2. Multi-Stage Builds: Build Dependencies Gömmeyin

❌ Tek stage - Tehlikeli:

FROM node:18
WORKDIR /app
COPY package*.json ./
RUN npm install  # devDependencies dahil
COPY . .
RUN npm run build
CMD ["node", "dist/server.js"]

Final image'da webpack, typescript, test libraries var. Gereksiz risk.

✅ Multi-stage - Güvenli:

# Build stage
FROM node:18 AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build

# Production stage
FROM node:18-alpine
WORKDIR /app
COPY --from=builder /app/dist ./dist
COPY --from=builder /app/node_modules ./node_modules
USER node
CMD ["node", "dist/server.js"]

Final image: Sadece runtime dependencies, %60 küçük.

3. Non-Root User: Privilege Escalation Önleme

❌ Default: Root olarak çalışır

FROM python:3.11
COPY app.py .
CMD ["python", "app.py"]  # root olarak çalışır!

Container escape olursa host root access.

✅ Non-root user oluştur:

FROM python:3.11-slim
RUN useradd -m -u 1000 appuser
WORKDIR /home/appuser
COPY --chown=appuser:appuser app.py .
USER appuser
CMD ["python", "app.py"]

4. Image Scanning: Trivy, Grype, Snyk

CI Pipeline'a entegre edin:

# .gitlab-ci.yml
scan:
  image: aquasec/trivy:latest
  script:
    - trivy image --severity HIGH,CRITICAL myapp:$CI_COMMIT_SHA
    - trivy image --exit-code 1 --severity CRITICAL myapp:$CI_COMMIT_SHA
  only:
    - merge_requests
    - main

Policy: CRITICAL vulnerability varsa build fail.

5. Secret Management: .env Dosyası Image'a Gitmesin!

❌ Disaster:

FROM node:18
COPY .env .
COPY . .
CMD ["node", "server.js"]

.env production image'ında. Docker Hub'a push ettin mi? Game over.

✅ Doğru Yöntem:

1. .dockerignore kullan:

.env
.env.*
secrets/
*.key
*.pem

2. Runtime'da inject et:

docker run -e DATABASE_URL=$DATABASE_URL myapp
# veya Kubernetes:
envFrom:
  - secretRef:
      name: myapp-secrets

3. Vault, AWS Secrets Manager kullan

6. Read-Only Root Filesystem

Container filesystem'i read-only yapın. Malware yazamaz.

# docker run
docker run --read-only --tmpfs /tmp myapp

# Kubernetes
securityContext:
  readOnlyRootFilesystem: true
volumeMounts:
  - name: tmp
    mountPath: /tmp

7. Network Security: Least Privilege

Docker Network Isolation:

docker network create --driver bridge app-network
docker run --network app-network frontend
docker run --network app-network --network database-network backend

Frontend database network'üne erişemez.

8. Resource Limits: DoS Önleme

❌ Limit yok:

docker run myapp  # Tüm host memory'i tüketebilir

✅ Limit koy:

docker run --memory="512m" --cpus="0.5" myapp

Kubernetes:

resources:
  limits:
    memory: "512Mi"
    cpu: "500m"

9. Image Signing: Notary, Cosign

Sadece imzalı image'lar deploy olsun:

# Cosign ile imzala
cosign sign --key cosign.key myregistry/myapp:v1.0.0

# Verify
cosign verify --key cosign.pub myregistry/myapp:v1.0.0

Kubernetes admission controller ile enforce et.

10. Registry Security

Private Registry Kullanın:

  • Harbor (self-hosted, vulnerability scanning built-in)
  • AWS ECR (managed, scan otomatik)
  • Azure Container Registry

Docker Hub public repo'ya production secrets atmayın!

Bonus: Runtime Security - Falco

Container runtime'da anomali detection:

  • Shell spawned in container
  • Unexpected outbound connections
  • File read from /etc/shadow
  • Privilege escalation attempts

Falco + Prometheus + Alertmanager = Real-time threat detection.

Security Checklist (Production'a Çıkmadan)

✅ Base image minimal (Alpine/Distroless)
✅ Multi-stage build
✅ Non-root user
✅ No secrets in image
✅ Image scanned (no CRITICAL CVE)
✅ .dockerignore configured
✅ Read-only root filesystem
✅ Resource limits defined
✅ Network policies configured
✅ Image signed
✅ Private registry
✅ Runtime security monitoring

Sonuç

Container security layered approach. Tek bir measure yeterli değil. Defense in depth stratejisi.

Devups Managed Container Service: Tüm bu security best practices built-in. Demo isteyin.

Son Bloglar