This page provides information about best practices for building and running container images.
Building containers
The approach that you take to building container images can impact the speed of builds and deployments, as well as the effort required to maintain your images.
Read the Docker best practices for building images.
Considerations for public registries
Carefully consider the following cases:
- Using images from public sources
When you use images from public sources such as Docker Hub, you are introducing code that your organization does not control into your software supply chain. To mitigate risk, you can:
- Build your own images to control image content.
- Use a standardized base image and build on top of that image.
- Scan images for vulnerabilities and address identified vulnerabilities.
- Enforce standards and policies on images you deploy.
- Making your registries public
You can make the registry in your Google Cloud project public by granting read access on the registry storage bucket to the
allUsers
identity.If all your users have Google Cloud accounts, you can limit access to authenticated users with the
allAuthenticatedUsers
identity instead.Consider the following guidelines before making a registry public:
- Verify that all images you store in the registry are sharable publicly and do not expose credentials, personal data, or confidential data.
- You are charged for network egress when users pull images. If you expect a lot of internet download traffic, consider the associated costs.
- By default, projects have unlimited per-user quota. To prevent abuse, cap per-user quota within your project.
Removing unused images
Remove unused container images to reduce storage costs and mitigate the risks of using older software. There are a number of tools available to help with this task, including gcr-cleaner. The gcr-cleaner tool is not an official Google product.
Assessing container security
The Center for Internet Security (CIS) has a Docker Benchmark for evaluating the security of a Docker container.
Docker provides an open source script called Docker Bench for Security. You can use the script to validate a running Docker container against the CIS Docker Benchmark.
Docker Bench For Security can help you verify many items in the CIS Docker Benchmark, but not all items are verifiable with the script. For example, the script cannot verify if the host for the container is hardened or if the container image includes personal data. Review all items in the benchmark and identify those that might need additional verification.
Securing deployments
Learn about building a secure software supply chain and how to use vulnerability scanning and Binary Authorization on Google Cloud to define and enforce policies for deployment.
You can also watch a video that describes securing your software supply chain.