Container Security: Docker & Kubernetes Hardening 2026
70% of all Docker containers run as root – a critical security risk. Comprehensive container security for Moltbot: from hardened Dockerfiles through Kubernetes Network Policies to runtime protection with Falco.
Why Is Container Security Critical? Simply Explained
Imagine packing your house into a container — but leaving the door unlocked and giving the tenant the master keys. Docker containers run as root by default, meaning: an attacker who escapes the container immediately has root access to the host. Kubernetes clusters with open network policies allow every pod to talk to every other pod — perfect for lateral movement. This guide closes all these gaps systematically.
🚨 Critical stat: 70% of Docker containers run as root. 58% have no security contexts. 40% have no resource limits.
↓ Jump to hardened Dockerfiles and K8s configurations below
Hardened Dockerfile (Production-Ready)
# Moltbot Production Dockerfile (gehärtet) FROM node:20-alpine AS builder WORKDIR /app COPY package*.json ./ RUN npm ci --only=production && npm cache clean --force COPY . . RUN npm run build FROM node:20-alpine AS runner # Security: Non-root user RUN addgroup -g 1001 -S moltbot && adduser -S moltbot -u 1001 -G moltbot WORKDIR /app # Security: Read-only filesystem COPY --chown=moltbot:moltbot --from=builder /app/.next/standalone ./ COPY --chown=moltbot:moltbot --from=builder /app/public ./public USER moltbot EXPOSE 3000 ENV NODE_ENV=production PORT=3000 # Security: No privileged operations CMD ["node", "server.js"]
Kubernetes Network Policy (Zero Trust)
# moltbot-network-policy.yaml
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: moltbot-netpol
namespace: production
spec:
podSelector:
matchLabels:
app: moltbot
policyTypes:
- Ingress
- Egress
ingress:
- from:
- podSelector:
matchLabels:
role: ingress-controller
ports:
- protocol: TCP
port: 3000
egress:
- to:
- podSelector:
matchLabels:
app: postgres
ports:
- protocol: TCP
port: 5432
- to:
- namespaceSelector:
matchLabels:
name: kube-system
ports:
- protocol: UDP
port: 53 # DNSPod Security Standards & Security Context
# moltbot-deployment.yaml (security context)
apiVersion: apps/v1
kind: Deployment
metadata:
name: moltbot
spec:
template:
spec:
securityContext:
runAsNonRoot: true
runAsUser: 1001
fsGroup: 1001
seccompProfile:
type: RuntimeDefault
containers:
- name: moltbot
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop: ["ALL"]
resources:
limits:
cpu: "500m"
memory: "512Mi"
requests:
cpu: "100m"
memory: "128Mi"