2. The runtimes launch and manage
containers, including containerd, CRI-O,
and rkt.
Therefore, you must closely track your
runtime's security patches.
Old runtime programs may contain
security holes of their own.
Check the
container runtime
3. By reducing the OS installed
components to only those needed by
the containers, you make it much
harder for an attacker to be successful.
If you are using a conventional
operating system for your containers,
you should never mix containerized
and other workloads on the same
servers.
Lock down the operating
system
4. Most containers are built with root access
by default. Security-wise, this is a
questionable practice. Yes, the Docker
runtime requires root privileges to run, but
containers don't. Certainly, it's easier for
developers to run containers as root
Control root access