pogonici - Fotolia
Is read-only mode a viable approach to container hardening?
Can containers work in read-only mode, and how does this setup make a difference in security hardening?
Read-only is a common designation for objects that shouldn't be altered. Much like a read-only Word document that a reader can open, but not update or change, read-only containers cannot be modified after creation.
Read-only mode is a good option for container hardening, as it makes them more resistant to attacks. Setting containers as read-only thwarts simple attacks where a hacker accesses a container and adds or deletes code to create an exploit. Container hardening with read-only information prevents the hacker from modifying any files in the container -- but it also prevents anyone else from doing so.
Read-only containers work well with immutable infrastructure, wherein the IT setup is never revisited, but instead destroyed and redeployed for each update. For immutable containers, the application or service in the container is redeployed each time it needs an update, and its previously used resources are made available again. In a mutable setup, where updates and fixes occur on the existing deployment, read-only containers would present a barrier to normal processes.
Immutable infrastructures enable container hardening, and also have the benefit of simplicity and consistency. The approach works well with smaller units of deployment, such as container-based microservices. For example, in an application constructed of microservices, each service can deploy in an unchangeable read-only container. If a service doesn't operate correctly in production, a developer can discard the read-only container hosting that service, and then rebuild.
Read-only containers are one container hardening option. Other security measures include root access control, advanced monitoring and full security suites that protect the container, application and infrastructure.
Read-only containers are available as a feature in Docker and Kubernetes, as well as related technologies. To use the option in Docker, select the read-only flag on startup. Any attempt to make changes to the container generates an error. Additionally, Docker users can make a specific layer of the container image read-only for more selective hardening. Organizations that use a container management platform should investigate its capabilities for hardening. For example, containers in OpenShift can run in read-only mode by default using CRI-O, an implementation of Kubernetes Container Runtime Interface.
