Container Hardening (seccomp, caps, RO fs)

Harden containers using read-only filesystems, capabilities, seccomp, and minimal images without breaking workloads.

On this page

Container Hardening Checklist

Run as non-root; drop all capabilities then add back minimally.
Read-only root filesystem; write only to explicit mounts.
Disable privilege escalation; use seccomp/AppArmor where available.
Use minimal base image; pin by digest; scan regularly.

Dockerfile Patterns

# Multi-stage build with minimal runtime
FROM golang:1.22 AS build
WORKDIR /src
COPY . .
RUN CGO_ENABLED=0 go build -o /out/app ./cmd/app

FROM gcr.io/distroless/static:nonroot
COPY --from=build /out/app /app
USER 65532:65532
ENTRYPOINT ["/app"]

Runtime Flags (Local / CI)

docker run --read-only --cap-drop=ALL 
  --security-opt no-new-privileges 
  -v /tmp/app-cache:/tmp 
  myapp:prod

Failure Modes

Read-only fs breaks apps writing to /var or /tmp (fix with mounts).
Dropping caps breaks binding to low ports (use 8080 or add minimal cap).

← Certificate Rotation and Expiry Prevention

Kubernetes SecurityContext Patterns →