Configuring Secure Container Runtimes

2 min read Infrastructure & DevOps Security

Configuring Secure Container Runtimes

Runtime configuration significantly impacts security posture. Default configurations often prioritize compatibility over security, requiring explicit hardening for production use. Key security configurations include enabling user namespaces, configuring seccomp profiles, and restricting capabilities. Each setting requires careful consideration of security benefits versus operational impact.

User namespace configuration provides one of the most effective runtime security improvements. By mapping container UIDs to unprivileged host UIDs, user namespaces prevent container root users from having host root privileges. This mapping complicates container escape attacks and limits damage from successful exploits. However, user namespaces can complicate volume permissions and break some applications expecting specific UIDs.

# containerd configuration with security hardening
# /etc/containerd/config.toml
version = 2

[plugins]
  [plugins."io.containerd.grpc.v1.cri"]
    enable_selinux = true
    enable_apparmor = true
    
    [plugins."io.containerd.grpc.v1.cri".containerd]
      default_runtime_name = "runc"
      
      [plugins."io.containerd.grpc.v1.cri".containerd.runtimes]
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
          runtime_type = "io.containerd.runc.v2"
          
          [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc.options]
            SystemdCgroup = true
            
            # Security options
            SeccompDefault = true
            ApparmorProfile = "containerd-default"
            
            # User namespace configuration
            UsernsMode = "auto"
            
            # Limit container capabilities
            DropCapabilities = ["ALL"]
            
        # Alternative runtime with gVisor for additional isolation
        [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runsc]
          runtime_type = "io.containerd.runsc.v1"

    # Registry configuration with authentication
    [plugins."io.containerd.grpc.v1.cri".registry]
      [plugins."io.containerd.grpc.v1.cri".registry.mirrors]
        [plugins."io.containerd.grpc.v1.cri".registry.mirrors."docker.io"]
          endpoint = ["https://registry-1.docker.io"]
      
      [plugins."io.containerd.grpc.v1.cri".registry.configs]
        [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.company.com"]
          [plugins."io.containerd.grpc.v1.cri".registry.configs."registry.company.com".auth]
            username = "${REGISTRY_USERNAME}"
            password = "${REGISTRY_PASSWORD}"

Seccomp (Secure Computing Mode) profiles restrict system calls available to containers. Default Docker/containerd seccomp profiles block dangerous system calls while allowing common operations. Custom profiles can further restrict system calls based on application requirements. However, overly restrictive profiles may break applications, requiring careful testing and gradual rollout.