Exposing administration services increases the attack surface of a container deployment. Administration services like SSH, VNC, or RDP may contain vulnerabilities, hard-coded credentials, or other security weaknesses. Modern container technologies provide built-in management capabilities that make running dedicated administration services inside containers unnecessary.
Ansible provides native connection plugins and tools for accessing running containers without SSH, making administration services unnecessary.
Even when an administration service port is not forwarded to the host, it is by default reachable from other containers on the same network. A malicious actor who compromises one container can exploit exposed administration services to pivot to other containers across the deployment.
When an administration service port is forwarded to the host system or exposed through an external load balancer, it becomes reachable from outside the container environment. An attacker can exploit vulnerabilities or weak credentials in services such as SSH to gain direct access to the container or the underlying host system.
Do not start any administration service in the container. Use podman exec to access a running container, or configure Ansible to
connect directly to the container using ansible_connection: containers.podman.podman. Note that simply removing the publish
directive is not sufficient — a container running an administration service remains accessible from other containers on the same Podman network.
- name: Podman tasks
hosts: server
tasks:
- name: Start container
containers.podman.podman_container:
name: container
image: my_application_image
command: "/usr/sbin/sshd -f /etc/ssh/sshd_config -D"
publish:
- "22:22" # Noncompliant
- name: Podman tasks
hosts: server
tasks:
- name: Start container
containers.podman.podman_container:
name: container
image: my_application_image
Do not start any administration service in the container. Use docker exec to access a running container, or configure Ansible to
connect directly to the container using ansible_connection: community.docker.docker or ansible_connection:
community.docker.docker_api. Note that simply removing the ports directive is not sufficient — a container running an
administration service remains accessible from other containers on the same Docker network.
- name: Docker Compose tasks
hosts: server
tasks:
- name: Start services
community.docker.docker_compose_v2:
project_name: my_project
definition:
services:
app:
image: my_application_image
command: /usr/sbin/sshd -f /etc/ssh/sshd_config -D
ports:
- "22:22" # Noncompliant
- name: Docker Compose tasks
hosts: server
tasks:
- name: Start services
community.docker.docker_compose_v2:
project_name: my_project
definition:
services:
app:
image: my_application_image
Do not start any administration service in the container. Use docker exec to access a running container, or configure Ansible to
connect directly to the container using ansible_connection: community.docker.docker or ansible_connection:
community.docker.docker_api. Note that simply removing the published_ports directive is not sufficient — a container running an
administration service remains accessible from other containers on the same Docker network.
- name: Docker container tasks
hosts: server
tasks:
- name: Start container
community.docker.docker_container:
name: container
image: my_application_image
command: "/usr/sbin/sshd -f /etc/ssh/sshd_config -D"
published_ports:
- "22:22" # Noncompliant
- name: Docker container tasks
hosts: server
tasks:
- name: Start container
community.docker.docker_container:
name: container
image: my_application_image