Support FAQ

What is Container Security?

Back to learning

Container security is the work of protecting an application from image selection through build, deployment, runtime, and incident review. Containers make deployment repeatable, but they also make weak defaults repeatable. A vulnerable base image, leaked build secret, overpowered Kubernetes service account, or permissive admission rule can be copied into every environment quickly.

The useful way to think about container security is as a lifecycle. Each stage creates evidence and each stage can break trust in the next one.

The Container Lifecycle

Stage Security decision
Image source Which base images, registries, packages, and maintainers are trusted enough to build from?
Build pipeline Are dependencies scanned, secrets excluded, images signed, and provenance recorded?
Admission Which images, capabilities, resource limits, and Kubernetes settings are allowed into the cluster?
Runtime Does the container behave like the workload it claims to be, and can unusual network, file, or process activity be detected?
Evidence Can the team trace a running container back to image, commit, scan result, deployer, policy, and incident record?

Image Trust Starts Before Deployment

Many container incidents start with ordinary supply chain hygiene. A base image may be stale. A package manager may pull a vulnerable dependency. A public image may include software no one needs. A developer may copy credentials into a Dockerfile or build argument. If the image is promoted without review, the runtime team inherits the problem.

Minimal images help because there is less software to patch and fewer tools for an attacker to use after compromise. They are not magic. Teams still need dependency scanning, image rebuilds when upstream packages change, registry access control, image signing where appropriate, and a clear policy for who can publish production images.

Secrets need a hard boundary. They should not be baked into images, stored in source control, printed in build logs, or passed through environment variables without review. Use a secrets manager or platform-native secret mechanism, restrict access by workload, and make rotation part of incident response rather than an emergency improvisation.

Kubernetes Policy Is a Production Gate

For Kubernetes, admission policy is where build intent becomes production reality. The cluster should reject workloads that violate agreed rules: privileged containers without approval, hostPath mounts, unrestricted capabilities, missing resource limits, unsigned images where signing is required, public images from unapproved registries, or pods using service accounts with broader permissions than the workload needs.

RBAC and network policy matter because container compromise is often a starting point, not the final outcome. A workload that can list secrets, talk to every namespace, or reach internal APIs creates a larger blast radius. Service accounts should have narrow permissions, and network paths should match the application design rather than the convenience of "allow all" traffic.

Runtime behaviour gives the team a second chance. Unexpected shell execution, new outbound destinations, file writes in strange locations, cryptocurrency mining patterns, suspicious DNS, or unusual API calls may indicate compromise or misconfiguration. The point is not to alert on every difference. The point is to define expected behaviour for important workloads and keep enough telemetry to investigate when it changes.

Evidence Connects Build to Runtime

Container security becomes much stronger when evidence stays connected. A running pod should be traceable to the image digest, source commit, build job, scan result, approver, deployment record, admission policy, runtime events, and incident ticket if one exists. That evidence helps with vulnerability response, SOC 2 control operation, customer due diligence, and post-incident review.

Without that chain, teams waste time asking basic questions during incidents: which service is running this image, who deployed it, what vulnerabilities were accepted, which namespace can it reach, and whether the same image is running elsewhere.

Where Edge Controls Fit

Container security does not end at the cluster boundary. Many containerised applications expose web routes and APIs to the internet. WAF, API security, bot management, rate limiting, and DDoS controls can reduce abuse before it reaches the workload, while log forwarding can preserve request and policy evidence for investigation. Peakhour can support that external request path, but it does not replace image governance, cluster policy, secrets management, or runtime monitoring inside the platform.

What Teams Need to Decide

Start with the promotion path. Define what makes an image trusted, which scans or checks are blocking, who can approve exceptions, which admission rules apply, how runtime events are reviewed, and how quickly vulnerable images can be found and replaced.

Container security works best when the same evidence follows the workload from build to production. If the only answer during an incident is "it passed CI at some point," the lifecycle needs tighter links.

Related Articles

AI Crawler User Agents

A practical reference for common AI crawler user agents, operators, purposes, and recommended Peakhour bot-management actions.

AI For Cybersecurity

AI For Cybersecurity explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

AI Image Generation

AI Image Generation explains the concept in the context of AI security, with practical checks and mitigation considerations for site operators.

© PEAKHOUR.IO PTY LTD 2026   ABN 76 619 930 826    All rights reserved.