openshift-docs/security/container_security/security-understanding.adoc

:_mod-docs-content-type: ASSEMBLY
[id="security-understanding"]
= Understanding container security
include::_attributes/common-attributes.adoc[]
:context: security-understanding

toc::[]

Securing a containerized application relies on multiple levels of security:

* Container security begins with a trusted base container image and continues
through the container build process as it moves through your CI/CD pipeline.
+
[IMPORTANT]
====
Image streams by default do not automatically update. This default behavior might create a security issue because security updates to images referenced by an image stream do not automatically occur.
For information about how to override this default behavior, see xref:../../openshift_images/image-streams-manage.adoc#images-imagestreams-import_image-streams-managing[Configuring periodic importing of imagestreamtags].
====
* When a container is deployed, its security depends on it running
on secure operating systems and networks, and
establishing firm boundaries between the container itself and
the users and hosts that interact with it.
* Continued security relies on being able to scan container images for
vulnerabilities and having an efficient way to correct and
replace vulnerable images.

Beyond what a platform such as {product-title} offers out of the box,
your organization will likely have its own security demands. Some level
of compliance verification might be needed before you can even bring
{product-title} into your data center.

Likewise, you may need to add your own agents, specialized hardware drivers,
or encryption features to {product-title}, before it can meet your
organization's security standards.

This guide provides a high-level walkthrough of the container security measures
available in {product-title}, including solutions for the host layer, the
container and orchestration layer, and the build and application layer.
It then points you to specific {product-title} documentation to
help you achieve those security measures.

This guide contains the following information:

* Why container security is important and how it compares with existing security standards.
* Which container security measures are provided by the host ({op-system} and {op-system-base}) layer and
which are provided by {product-title}.
* How to evaluate your container content and sources for vulnerabilities.
* How to design your build and deployment process to proactively check container content.
* How to control access to containers through authentication and authorization.
* How networking and attached storage are secured in {product-title}.
* Containerized solutions for API management and SSO.

The goal of this guide is to understand the incredible security benefits of
using {product-title} for your containerized workloads and how the entire
Red Hat ecosystem plays a part in making and keeping containers secure.
It will also help you understand how you can engage with the {product-title}
to achieve your organization's security goals.

// What are containers?
include::modules/security-understanding-containers.adoc[leveloffset=+1]

// What is OpenShift?
include::modules/security-understanding-openshift.adoc[leveloffset=+1]

[role="_additional-resources"]
.Additional resources
* xref:../../architecture/architecture.adoc#architecture[{product-title} architecture]
* link:https://www.redhat.com/en/resources/openshift-security-guide-ebook[OpenShift Security Guide]