Docker: It’s not dead yet, but there’s a tendency to walk away, security report finds

Docker: It’s not dead yet, but there’s a tendency to walk away, security report finds

Sysdig just handed in its Container Security and Usage Report for 2021, and the latest edition shows that even though security measures tend to be better integrated than in previous years, there is still a lot to be done.

According to Sysdig, the report is based on an analysis of a subset of the workloads run by its customers that spans nearly 2 million containers, as well as on “public data sources like GitHub, Docker Hub, and the Cloud Native Computing Foundation”. 

Starting off with a look at container runtimes deployed, the company noticed a decline in Docker usage from 79% to 50%, while containerd and cri-o operations doubled compared to its last analysis, clocking in at 17 and 33 per cent respectively. 

This might be due to some platforms defaulting to other projects (OpenShift has switched to cri-o for example), though it has to be clear that Docker itself uses containerd under the hood. In terms of orchestrators used, Kubernetes unsurprisingly leads the list (75%), though OpenShift (a K8s distro itself) seems to have grown in popularity (15% compared to 9% last year) amongst Sysdig customers.

The latter are largely known to operate just one cluster (60%) with comparatively few nodes (60% of customer clusters are made of up to five nodes). There is a tendency to have quite a few namespaces in a cluster (57% are said to have 6-10 per cluster, 24% use 1-5), which might have to do with the distribution used, and they are often used for alerting purposes. Most customers tend to have three deployments per namespace (38%), followed by those having either 2 or 4 which come in at 24% respectively. 

Another metric the report looked into was pods per cluster. The report found most clusters contain 51-100 (38%); followed by 29% with 26-50 pods. For pods per node, it found most had between 16-25 (43%); followed by 22% with 11-15; and 12% with 26-50 pods per node. The average image size observed during the analysis is 376MB, speaking for the best practice to keep images as small as possible.

As companies signal that security is becoming a priority and should be considered earlier in the development lifecycle, Sysdigs found that the majority of its customers have started scanning their images pre-deployment. 

At 74% this is quite a good turnout, given that one of the major security problems voiced by security experts during the last couple of years was teams just downloading and deploying images without thinking about their origins. And it pays off, seeing that the report finds more than half of scans failing because of at least high severity vulnerabilities.

With image scanning becoming the norm, running containers with root privileges when it isn’t needed has stepped into the focus as a source of concern. This however doesn’t seem to have made the rounds yet, since 58% of the images looked at were configured “overly permissive” running with root privileges. Combine this with the insight that almost half of all containers live less than 5 minutes, and this opens up quite a few security and monitoring challenges.

Monitoring seems to have been high on the list of things to improve upon in the last couple of months as a large number of customers has started to employ Prometheus (62% in 2020 compared to 46% in 2019). The most popular exporters to use have been node-exporter, blackbox_exporter, and jmx_exporter, so looking into at least the first two might be a good bet if you want to get started yourself.