What is an Account-Control Surface?
Understand the account-control surface and why account protection has to cover more than the login form.
Support FAQ
Container security is the work of protecting an application from image selection through build, deployment, runtime, and incident review. Containers make deployment repeatable, but they also make weak defaults repeatable. A vulnerable base image, leaked build secret, overpowered Kubernetes service account, or permissive admission rule can be copied into every environment quickly.
The useful way to think about container security is as a lifecycle. Each stage creates evidence and each stage can break trust in the next one.
| Stage | Security decision |
|---|---|
| Image source | Which base images, registries, packages, and maintainers are trusted enough to build from? |
| Build pipeline | Are dependencies scanned, secrets excluded, images signed, and provenance recorded? |
| Admission | Which images, capabilities, resource limits, and Kubernetes settings are allowed into the cluster? |
| Runtime | Does the container behave like the workload it claims to be, and can unusual network, file, or process activity be detected? |
| Evidence | Can the team trace a running container back to image, commit, scan result, deployer, policy, and incident record? |
Many container incidents start with ordinary supply chain hygiene. A base image may be stale. A package manager may pull a vulnerable dependency. A public image may include software no one needs. A developer may copy credentials into a Dockerfile or build argument. If the image is promoted without review, the runtime team inherits the problem.
Minimal images help because there is less software to patch and fewer tools for an attacker to use after compromise. They are not magic. Teams still need dependency scanning, image rebuilds when upstream packages change, registry access control, image signing where appropriate, and a clear policy for who can publish production images.
Secrets need a hard boundary. They should not be baked into images, stored in source control, printed in build logs, or passed through environment variables without review. Use a secrets manager or platform-native secret mechanism, restrict access by workload, and make rotation part of incident response rather than an emergency improvisation.
For Kubernetes, admission policy is where build intent becomes production reality. The cluster should reject workloads that violate agreed rules: privileged containers without approval, hostPath mounts, unrestricted capabilities, missing resource limits, unsigned images where signing is required, public images from unapproved registries, or pods using service accounts with broader permissions than the workload needs.
RBAC and network policy matter because container compromise is often a starting point, not the final outcome. A workload that can list secrets, talk to every namespace, or reach internal APIs creates a larger blast radius. Service accounts should have narrow permissions, and network paths should match the application design rather than the convenience of "allow all" traffic.
Runtime behaviour gives the team a second chance. Unexpected shell execution, new outbound destinations, file writes in strange locations, cryptocurrency mining patterns, suspicious DNS, or unusual API calls may indicate compromise or misconfiguration. The point is not to alert on every difference. The point is to define expected behaviour for important workloads and keep enough telemetry to investigate when it changes.
Container security becomes much stronger when evidence stays connected. A running pod should be traceable to the image digest, source commit, build job, scan result, approver, deployment record, admission policy, runtime events, and incident ticket if one exists. That evidence helps with vulnerability response, SOC 2 control operation, customer due diligence, and post-incident review.
Without that chain, teams waste time asking basic questions during incidents: which service is running this image, who deployed it, what vulnerabilities were accepted, which namespace can it reach, and whether the same image is running elsewhere.
Container security does not end at the cluster boundary. Many containerised applications expose web routes and APIs to the internet. WAF, API security, bot management, rate limiting, and DDoS controls can reduce abuse before it reaches the workload, while log forwarding can preserve request and policy evidence for investigation. Peakhour can support that external request path, but it does not replace image governance, cluster policy, secrets management, or runtime monitoring inside the platform.
Start with the promotion path. Define what makes an image trusted, which scans or checks are blocking, who can approve exceptions, which admission rules apply, how runtime events are reviewed, and how quickly vulnerable images can be found and replaced.
Container security works best when the same evidence follows the workload from build to production. If the only answer during an incident is "it passed CI at some point," the lifecycle needs tighter links.
Understand the account-control surface and why account protection has to cover more than the login form.
Learn about account takeover threats, protection strategies, and detection methods to secure your digital accounts and prevent unauthorised access.
An overview of Account Takeover Attacks
A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.
AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.
© PEAKHOUR.IO PTY LTD 2026 ABN 76 619 930 826 All rights reserved.