This chapter looked at the security considerations of Docker and Windows containers. You learned that the Docker platform is built for security in depth, and that the runtime security of containers is only one part of the story. Security scanning, image signing, content trust, and secure distributed communication can be combined to give you a secure software supply chain.
You looked at the practical security aspects of running apps in Docker and learned how processes in Windows containers run in a context that makes it difficult for attackers to escape from containers and invade other processes. Container processes will use all the compute resources they need, but I also demonstrated how to limit CPU and memory usage, which can prevent rogue containers from starving the host's compute resources.
In a dockerized application, you have much more scope to enforce security in depth. I explained why minimal images help keep applications safe and how you can use Docker Security Scanning to be alerted if there are vulnerabilities in any of the dependencies your application uses. You can enforce good practices by digitally signing images and configure Docker so that it will only run containers from images that have been signed by approved users.
Lastly, I looked at the security implementation in Docker Swarm. Swarm mode has the most in-depth security of all the orchestration layers, and it provides a solid foundation for you to run your apps securely. Using secrets to store sensitive application data and node labels to identify host compliance makes it very easy for you to run a secure solution, and the open API makes it easy to integrate third-party security enhancements such as Aqua.
In the next chapter we'll work with a distributed application and look at building a pipeline for CI/CD. The Docker Engine can be configured to provide remote access to the API, so it's easy to integrate Docker deployments with any build system. The CI server can even run inside a Docker container and you can use Docker for the build agents, so you don't need any complex configuration for CI/CD.