Starting with Container Basics

Getting your cloud-native basics right starts with the containers you build.

Containers run everywhere, from CaaS platforms to your laptop, to massive Kubernetes clusters. But too often, they're built without security, maintainability, or production-readiness in mind.

This week, we’re revisiting some timeless - but frequently overlooked - best practices.

In this post, you’ll find a practical checklist for designing and building better containers. It starts with the Twelve-Factor App principles, dives into secure base images, covers why you shouldn't run as root, and wraps up with build and update strategies.

Configuration & Secrets

• Never bake secrets into your container image.
• Use environment variables or mounted configuration files for flexibility and security.

Observability

• Make your container observable by logging to stdout/stderr.
• Expose metrics so you can monitor health and performance.

Portability

• Build your container image once and use it across environments — “build once, deploy often.”
• Treat databases and external services as dependencies you connect to, not as part of the container itself.

Security First

• Start with hardened base images like Distroless, Chainguard, or Alpine.
• Keep only runtime dependencies; remove shells and compilers when unnecessary.
• Automate base image updates (e.g., with Renovate).
• Run containers with an unprivileged user instead of root. (Distroless already includes a nonroot user.)

Image Design & Build Process

• Use multi-stage builds to strip out build dependencies.
• Verify container signatures and scan for vulnerabilities — fail builds if critical issues are found.
• Optimize Dockerfiles for caching and build performance.

Dependency Management

• Choose third-party dependencies carefully and validate them.
• Reduce your container’s footprint — smaller images are faster, safer, and easier to maintain.

Key Takeaway

• Design containers with security, observability, and efficiency in mind. A well-crafted container is lightweight, non-root, easily configurable, and production-ready.

Yes, it’s full of bullet points, for good reason. These are the foundations. And later this week, we’ll take a closer look at how to put them into action. Stay tuned.