Security is an afterthought in docker, deploy first questions later the dirty harry way. I learned lots about dockers lack of defense while trying to harden my instances and questioned why some of the options weren't enabled by default (--cap-drop=all and --security-opt=no-new-privileges and userns remap) other than exposing bad dockerfiles practices.