Layer the defences: "Non-root user, minimal base image, read-only filesystem, dropped capabilities, resource limits, and image scanning in CI. Each layer catches what the others miss."
Key practices: run as non-root user (USER directive), use minimal base images (alpine, distroless, scratch), scan images for vulnerabilities (Trivy, Snyk, Docker Scout), do not store secrets in images or environment variables (use Docker secrets or external vaults), set read-only root filesystem where possible, drop capabilities (--cap-drop=ALL, then add back only what is needed), limit resources (memory, CPU), use signed images with Docker Content Trust, and keep the host Docker daemon updated. Strong candidates discuss: the principle of least privilege applied to containers, seccomp profiles, AppArmor/SELinux, the risk of mounting the Docker socket, and that running as root inside a container is root on the host without user namespace remapping.
Critical for production container security. Candidates who run containers as root with full capabilities are creating unnecessary risk. Those who understand the layered security model and can articulate specific mitigations build secure container deployments.