Container technologies such as Docker and Kubernetes have revolutionized the way we develop, deploy and operate applications. But with great power comes great responsibility – especially when it comes to security. This article shows practical strategies to keep your Spring Boot applications secure in containers.
Why is container security important?
Containers offer many advantages, but they also have security risks. Incorrect configurations, insecure images or poorly managed secrets can open the door to attackers. The main threats are:
|
Threat
|
Risk
|
|---|---|
|
Insecure base images
|
Old or compromised images often contain security vulnerabilities.
|
|
Poor configurations
|
Wrong rights, lack of network restrictions or too many privileges.
|
|
Lack of secrets management
|
Passwords or API keys in the code are a no-go.
|
|
Third-party dependencies
|
Unpatched libraries can introduce vulnerabilities.
|
Best practices for secure Docker containers
1. Use secure base images
Use official and minimalist base images that are updated regularly:
FROM openjdk:17-jdk-slimAvoid “latest” tags and define explicit versions to avoid unwanted updates.
2. Multi-stage builds for leaner and more secure images
A multi-stage build reduces the attack surface of your container:
# Build-Stage
FROM maven:3.8.6-openjdk-17 AS build
WORKDIR /app
COPY . .
RUN mvn clean package -DskipTests
# Runtime-Stage
FROM openjdk:17-jdk-slim
WORKDIR /app
COPY --from=build /app/target/app.jar app.jar
CMD ["java", "-jar", "app.jar"]Advantages:
✅ Reduces image size
✅ Removes build tools (e.g. Maven)
✅ Contains only the essentials
3. Do not store sensitive data in the image
To handle environment variables securely, use Docker Secrets or Kubernetes Secrets:
apiVersion: v1
kind: Secret
metadata:
name: my-secret
type: Opaque
data:
DB_PASSWORD: c2VjdXJlUGFzc3dvcmQ=Include the secret in your deployment definition:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: my-secret
key: DB_PASSWORD
Kubernetes Security Best Practices
4. Minimal rights with RBAC (Role-Based Access Control)
Restrict permissions in Kubernetes with RBAC:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: app-role
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list"]5. Network security with network policies
Restrict network traffic between pods:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: deny-all
spec:
podSelector:
matchLabels: {}
policyTypes:
- Ingress
- Egress
ingress: []
egress: []This blocks all network traffic by default and must be explicitly allowed.
6. Security scans in the CI/CD pipeline
Use tools such as Trivy to check your container images for vulnerabilities:
trivy image myapp:latestKube-bench is suitable for Kubernetes scans:
kube-bench --benchmark gke7. Least Privilege for Pods
Prevent containers from running as root:
securityContext:
runAsNonRoot: true
runAsUser: 1000
capabilities:
drop:
- ALL
Extended security measures
8. Runtime security (Runtime Security)
- Falco for runtime monitoring: detection of suspicious activities in containers.
- Audit logs & intrusion detection: analysis of unusual access patterns.
9. Supply Chain Security for Container
- Image signing with Cosign: Ensure that only verified images are deployed.
- Software Bill of Materials (SBOM): Transparency about used dependencies.
10. Secure handling of third-party dependencies
- Dependabot & Snyk for checking libraries.
- Private container registries (e.g. Harbor) for secure image management.
Comparison of security tools: Trivy vs. Snyk vs. Clair
|
Tool
|
Advantages
|
Disadvantages
|
|---|---|---|
|
Trivy
|
Fast, open source, easy to use
|
Less detailed exploit analyses
|
|
Snyk
|
Good integration in CI/CD, recognizes zero-day gaps
|
Commercial, paid features
|
|
Clair
|
Deep analysis of container images
|
Complex setup
|
11. Incident response & emergency plans
- Step-by-step guide to Incident Response
- Backup & Disaster Recovery for Kubernetes
Conclusion
Container security requires a well thought-out approach. By using secure images, the right access restrictions and automated scans, you can run your Spring Boot applications securely in Docker and Kubernetes. Use the best practices mentioned above to minimize risks and make attacks more difficult.
Do you need help with IT security? Then take a look at our marketplace. You’re sure to find a suitable provider there who can help you make your company more secure.
