There are a number of sets of guidance which are provided by various bodies and can be useful in understanding how to secure container environments. Generally speaking, they fall into two categories, Compliance standards and hardening guides. The difference is that compliance standards generally seek to give precise recommendations at the level of setting specific parameters and file permissions for a specific product, where hardening guides tend to cover more ground at a higher level Whilst hardening guides may have some specific details, they don’t try to comprehensively cover all settings related to security in one product.
- CIS Benchmark for Kubernetes - There are benchmarks for a number of distributions. The main one covers Kubeadm and there are also benchmarks for EKS, AKS, GKE, OpenShift, ACK and OKE.
- CIS Benchmark for Docker - Worth noting that this specifically relates to Docker as a stand alone container engine, some of the recommendations will not apply when it’s used as part of a Kubernetes cluster.
- DISA STIG for Kubernetes - Doesn’t specify the Kubernetes distribution that’s covered, but from the settings, it’s likely Kubeadm
- DISA STIG for Docker Enterprise - Whilst it’s Docker’s (now Mirantis’) commercial product, some of the recommendations apply generally to Docker.
- NSA Kubernetes Hardening Guide - Covers Kubernetes hardening and some general related topics like Kubernetes auditing and threat detection
- PCI recommendations for containers and container orchestration - Covers, in a non-product specific way, container and container orchestration security. Whilst it’s targeted at PCI environments, most of the guidance applies to container environments in general, there’s some commentary on it here