Container Security: আধুনিক কনটেইনারাইজড অ্যাপ্লিকেশনের সাইবার ঝুঁকি প্রতিরোধ!

Container Security হলো container-এর entire lifecycle জুড়ে security control implement করা—source code থেকে শুরু করে build, deploy, runtime, এবং decommission পর্যন্ত। প্রচলিত VM-based security থেকে এটি ভিন্ন কারণ container:

• Shared kernel use করে
• Ephemeral (short-lived) হতে পারে
• Massive scale-এ deployed হয়
• Frequently update হয়
• Orchestration platform (Kubernetes)-এ চলে

NIST SP 800-190 (Application Container Security Guide) container security-এর প্রথম authoritative reference। এটি পাঁচটি main concern চিহ্নিত করেছে:

1. Image risks
2. Registry risks
3. Orchestrator risks
4. Container risks
5. Host OS risks

Container security একটি end-to-end concern। প্রতিটি phase-এ আলাদা security practice।

Phase 1 - Code: Application code-এ vulnerability (OWASP Top 10)। SAST tool।

Phase 2 - Build: Dockerfile, image construction। IaC scanning, dependency check।

Phase 3 - Registry: Image storage। Image signing, vulnerability scanning।

Phase 4 - Deploy: Kubernetes manifest, Helm chart। Policy as code, admission controller।

Phase 5 - Runtime: Running container। Runtime security, behavioral monitoring।

Phase 6 - Observability: Logging, monitoring, alerting।

Container security-র foundation হলো secure image।

Vulnerability Scanning: Image-এ থাকা OS package ও application dependency-তে known CVE detect করা।

Tools:

• Trivy: Open-source, fast, comprehensive
• Grype: Anchore-র scanner
• Snyk Container: Commercial, IDE integration
• Clair: RedHat-এর OSS
• Microsoft Defender for Containers: Azure-integrated

Image Provenance: Image কোথা থেকে এসেছে তা trace করা গুরুত্বপূর্ণ।

• SBOM (Software Bill of Materials): Image-এ কী কী আছে তার complete list। Syft, SPDX, CycloneDX format।
• In-toto Attestation: Build process-এর cryptographic proof।
• Sigstore (Cosign, Fulcio, Rekor): Image signing, transparency log।

Trusted Registry: Public registry থেকে directly pull না করে private registry use করুন।

• Harbor: OSS container registry with built-in scanning
• JFrog Artifactory
• AWS ECR, Azure Container Registry, Google Artifact Registry

Minimal Base Image: Smaller image মানে fewer vulnerabilities।

• Distroless: Google-র minimal image
• Alpine: Lightweight
• Scratch: Absolutely minimum
• Chainguard: Hardened minimal images

Container supply chain attack increasingly common। SolarWinds, Codecov, 3CX—এসব attack supply chain-এর গভীর vulnerability প্রকাশ করেছে।

SLSA Framework: Supply-chain Levels for Software Artifacts—Google-প্রবর্তিত framework যা supply chain integrity-র জন্য four-level maturity model দেয়।

Key Practices:

• Verify source repository integrity
• Reproducible builds
• Signed commits
• Build provenance attestation
• Dependency pinning
• SBOM generation & verification

Notable Supply Chain Threats:

• Typosquatting (npm, PyPI)
• Dependency confusion
• Malicious base image
• Compromised CI/CD
• Stolen signing key

Image যতই secure হোক, runtime-এ unexpected behavior সম্ভব। Runtime security এই concern address করে।

Falco: CNCF-graduated runtime security tool। eBPF বা kernel module ব্যবহার করে syscall observe করে।

- rule: Unexpected outbound connection
  desc: Detect outbound connections to unexpected destinations
  condition: outbound and not allowed_destinations
  output: Unexpected outbound (container=%container.id dest=%fd.rip)
  priority: WARNING

Tetragon (Cilium): eBPF-based observability ও enforcement।

Tracee (Aqua): eBPF runtime security।

Microsoft Defender for Containers: Cloud-integrated।

Commercial CWPP:

• Sysdig Secure
• Prisma Cloud
• Aqua Security
• Wiz

Behavioral Detection: Container-এর normal behavior baseline তৈরি করে anomaly detect করা।

Kubernetes-এর own security concerns বিশাল।

API Server Hardening:

• TLS everywhere
• Anonymous auth disabled
• RBAC strict
• Audit logging
• Admission controllers

Pod Security:

• Pod Security Standards (Restricted profile)
• Security Context: runAsNonRoot, readOnlyRootFilesystem, capabilities drop
• Resource limits

Network Policy:

• Default deny
• Explicit allow
• Egress control
• Service mesh (Istio, Linkerd) for mTLS

Secret Management:

• etcd encryption at rest
• External secret managers
• Sealed Secrets
• Workload identity (avoid mounted SA token)

Admission Controllers:

• OPA Gatekeeper
• Kyverno
• Validating policy before pod creation

Container network-এ unique challenges আছে।

East-West Traffic: Cluster-এর ভিতরে service-to-service communication। Traditionally unencrypted ও unauthenticated।

Solution: Service Mesh

• mTLS automatic between services
• Fine-grained authorization
• Traffic encryption
• Observability

North-South Traffic: Cluster-এর বাইরে user-এর সাথে communication।

Ingress Security:

• WAF (Web Application Firewall)
• Rate limiting
• DDoS protection
• TLS termination

DNS Security:

• CoreDNS hardening
• DNS over TLS

Egress Control:

• Network Policy
• Egress gateway (Istio)
• DNS allowlisting

Secret container-এ properly handle করা সবচেয়ে challenging।

Don't:

• Hardcode in image
• ENV variable (visible in process list)
• ConfigMap (not encrypted)
• Plain Kubernetes Secret (base64 only)

Do:

• External secret manager: HashiCorp Vault, AWS Secrets Manager, Azure Key Vault
• External Secrets Operator (sync from external to K8s Secret)
• CSI Secret Driver (mount as volume)
• Workload Identity (no static credential)
• SOPS for GitOps
• Sealed Secrets (encrypted in Git)
• Rotation automation

প্রতিটি cloud-এ specific container security service আছে।

AWS:

• ECR Image Scanning
• Fargate (managed, no host access)
• GuardDuty for EKS
• AWS App Mesh

Azure:

• Azure Container Registry vulnerability scanning
• AKS-managed nodes with autopatching
• Microsoft Defender for Containers
• Azure Policy for AKS

GCP:

• Artifact Analysis (formerly Container Analysis)
• Binary Authorization (signed image only)
• GKE Autopilot (managed)
• Anthos Service Mesh

Container deployment-এ compliance requirement বিভিন্ন।

Standards:

• CIS Docker Benchmark
• CIS Kubernetes Benchmark
• NIST SP 800-190
• PCI DSS for containerized payment system
• HIPAA for healthcare
• SOC 2

Audit Tools:

• kube-bench (CIS K8s)
• docker-bench-security
• Kubescape (multi-framework)
• Polaris (Fairwinds)

Container security-কে CI/CD-তে integrate করা অপরিহার্য।

Shift-Left Practices:

• IDE plugin (Snyk, Checkov)
• Pre-commit hook (gitleaks, hadolint)
• PR-time scan (Trivy in GitHub Actions)
• Build-time scan & policy
• Pre-deployment admission control
• Runtime monitoring

Sample GitHub Action:

- name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@master
  with:
    image-ref: 'myapp:${{ github.sha }}'
    format: 'sarif'
    output: 'trivy-results.sarif'
    severity: 'CRITICAL,HIGH'
    exit-code: '1'

- name: Sign image with Cosign
  run: cosign sign --yes myapp:${{ github.sha }}

Container security incident detect ও respond করার জন্য proper observability দরকার।

Logging:

• Centralized log aggregation (ELK, Loki)
• Structured logs (JSON)
• Audit log retention

Metrics:

• Prometheus + Grafana
• Security-specific metrics

Tracing:

• Distributed tracing (Jaeger, Tempo)
• Service dependency visualization

Incident Response:

• Container forensics ephemeral, তাই log shipping crucial
• Snapshot containers before terminate
• Forensic-capable runtime tool (Tetragon, Falco)

TeamTNT: Cryptojacking gang যা exposed Docker API, K8s, Redis target করে।

Kinsing: Cryptominer যা container vulnerability exploit করে।

Hildegard: TeamTNT-র K8s-targeted।

Siloscape: Windows container থেকে K8s escape।

Common Attack Patterns:

1. Exposed Docker/Kubernetes API
2. Default credential
3. Vulnerable image (Log4j, etc.)
4. Misconfigured RBAC
5. Compromised CI/CD credential
6. Supply chain (malicious dependency)
7. Container escape via runtime CVE

Comprehensive container security strategy:

Image Security:

• Minimal base image
• Vulnerability scanning in CI/CD
• Image signing (Cosign)
• SBOM generation
• Private registry

Build Security:

• Multi-stage build
• Non-root user
• Reproducible builds
• Dependency pinning

Runtime Security:

• Pod Security Standards (Restricted)
• Network Policy (default deny)
• Resource limits
• Runtime security tool (Falco)
• No privileged container

Orchestrator Security:

• RBAC least privilege
• Audit logging
• Admission controller (OPA/Kyverno)
• etcd encryption

Supply Chain:

• SLSA Level 3+
• In-toto attestation
• Signed commits
• Reproducible builds

Operational:

• Patch kernel, runtime, K8s timely
• Disaster recovery
• Regular pentest
• Security training
• Incident response playbook

বাংলাদেশের fintech, e-commerce ও SaaS প্রতিষ্ঠানগুলো দ্রুতগতিতে container adoption করছে। কিন্তু security maturity প্রায়শই lag করে। একটি common pattern হলো production K8s cluster-এ default configuration, no network policy, exposed dashboard। Bangladesh Bank, BTRC এবং BGD e-GOV CIRT-এর নির্দেশিকা অনুসরণ করে এবং international best practice apply করে এই gap পূরণ করা সম্ভব।