Exposing administration services can lead to unauthorized access to containers or escalation of privilege inside of containers.
Administration services like SSH might contain vulnerabilities, hard-coded credentials, or other security issues that increase the attack surface
of a container deployment.
Even if the ports of the services do not get forwarded to the host system, by default they are reachable from other
containers in the same network. A malicious actor that gets access to one container could use such services to escalate access and privileges.
Ask Yourself Whether
- The container starts an administration service.
There is a risk if you answered yes to the question.
Recommended Secure Coding Practices
- Do not start SSH, VNC, RDP or similar administration services in containers.
Sensitive Code Example
- name: Podman tasks
hosts: server
tasks:
- name: Start SSH server
containers.podman.podman_container:
name: container
image: lscr.io/linuxserver/openssh-server:version-9.7_p1-r4
publish:
- "22:2222" # Sensitive
See
