Member-only story
How to Harden Your Containers With Distroless Docker Images
Use distroless images to secure your containers on Kubernetes
Containers have changed the way we look at technology infrastructure. It is a quantum leap in the way we run our applications. Container orchestration, along with the Cloud, provides us with a capability of seamless expansion on a near-infinite scale.
Containers, by definition, are supposed to contain your application and its runtime dependencies. However, in reality, they contain much more than that. A standard container base image contains a package manager, shells, and other programs that you would find in a standard Linux distribution.
While all these aspects are necessary for building container images, they need not form the part of the image. For example, once you’ve installed the packages, you no longer need apt within the container.
It not only bloats your container with un-necessary packages and programs, but it also provides cybercriminals with opportunities to hack a particular program’s vulnerability.
You should always be aware of what exists within your container runtime, and you should precisely restrict that to contain only the required dependencies necessary for your application.
You should not install anything apart from what is required. Some of the leading tech giants, such as Google, that have experience running containers in production for many years have followed this approach.
Google now has open-sourced this capability to the world by providing distroless images. They’ve built these images just to contain your application and its dependencies, and they lack all the features of a regular Linux distribution, including shells.
That means that while you can run your application conventionally, you cannot attach it to the container while it is running. That is a significant security improvement, as you have now closed the door for hackers to gain entry within your container through a shell.
Distroless Base Images
Google provides distroless base images for most of the leading programming languages and platforms.
