Profiling of spawned processes in container images and enforcing security policies respective thereof

The invention claimed is: 1. A method comprising: generating a security profile for a container image based on determining a plurality of actions to be performed by runtime instances of the container image; enforcing the security profile for containers corresponding to runtime instances of the container image based on monitoring communications of the containers, wherein enforcing the security profile comprises, for each of the containers, intercepting at least one of communications to the container and communications from the container; for each intercepted communication, analyzing the intercepted communication based on the security profile to determine if the intercepted communication violates the security profile; and based on determining that the intercepted communication violates the security profile, performing an enforcement action. 2. The method of claim 1 , wherein generating the security profile comprises, based on analyzing the container image, determining a plurality of callable units in the container image; and mapping the plurality of callable units to a plurality of system calls, wherein each of the plurality of callable units maps to one or more of the plurality of system calls, wherein the plurality of actions comprises indications of the plurality of system calls. 3. The method of claim 1 , wherein generating the security profile comprises, based on analyzing the container image, identifying an entry point script of the container image; determining one or more processes to be spawned by the runtime instances of the container image that are indicated in the entry point script; and creating one or more signatures that correspond to the one or more processes, wherein the plurality of actions comprises the one or more signatures. 4. The method of claim 3 , wherein creating the one or more signatures comprises, for each process of the one or more processes, creating a signature of the process based on contents of an executable file corresponding to the process. 5. The method of claim 1 , wherein generating the security profile comprises, based on analyzing a network configuration of the container image, determining a plurality of permissible network actions to be performed for network resources, wherein the plurality of actions comprises indications of the plurality of permissible network actions. 6. The method of claim 1 , wherein generating the security profile comprises, based on analyzing the container image, determining a plurality of permissible file system actions to be performed for file system resources, wherein the plurality of actions comprises indications of the plurality of permissible file system actions. 7. The method of claim 1 , wherein performing the enforcement action comprises at least one of generating an alert and halting operation of the container. 8. The method of claim 1 further comprising detecting a change to or addition of the container image in a container image registry, wherein generating the security profile is based on detecting the change or addition. 9. One or more non-transitory machine-readable media having program code stored thereon, the program code comprising instructions to: generate a security profile for a container image, wherein the security profile indicates a plurality of actions determined to be performed by runtime instances of the container image; based on monitoring a first container corresponding to a runtime instance of the container image, intercept a communication to or from the first container; determine whether the communication violates the security profile based on analysis of the communication against the security profile; and based on a determination that the communication violates the security profile, perform an enforcement action. 10. The non-transitory machine-readable media of claim 9 , wherein the instructions to perform the enforcement action comprise at least one of instructions to generate an alert, instructions to halt operation of the first container, instructions to halt or disable execution of a process, and instructions to quarantine a file. 11. The non-transitory machine-readable media of claim 9 , wherein the instructions to generate the security profile comprise instructions to, based on analysis of the container image, determine a plurality of callable units in the container image; and map each of the plurality of callable units to one or more system calls, wherein the plurality of actions comprises indications of a plurality of system calls to which the plurality of callable units mapped. 12. The non-transitory machine-readable media of claim 9 , wherein the instructions to generate the security profile comprise instructions to, based on analysis of the container image, identify an entry point script of the container image; determine one or more processes to be spawned by the runtime instances of the container image that are indicated in the entry point script; and create one or more signatures that correspond to the one or more processes based on obtained executable files corresponding to the one or more processes, wherein the plurality of actions comprises the one or more signatures. 13. The non-transitory machine-readable media of claim 9 , wherein the instructions to generate the security profile comprise instructions to, based on analysis of a network configuration of the container image, determine a plurality of permissible network actions to be performed for network resources, wherein the plurality of actions comprises indications of the plurality of permissible network actions. 14. The non-transitory machine-readable media of claim 9 , wherein the instructions to generate the security profile comprise instructions to, based on analysis of the container image, determine a plurality of permissible file system actions to be performed for file system resources, wherein the plurality of actions comprises indications of the plurality of permissible file system actions. 15. An apparatus comprising: a processor; and a machine-readable medium having instructions stored thereon that are executable by the processor to cause the apparatus to, generate a security profile for a container image based on a determination of a plurality of parameters for actions to be performed by runtime instances of the container image; intercept communications of a first container, wherein the first container is a runtime instance of the container image; for each of the intercepted communications, determine if the intercepted communication violates the security profile based on analysis of the intercepted communication against the security profile; and based on a determination that the intercepted communication violates the security profile, perform an enforcement action. 16. The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to perform the enforcement action comprise at least one of instructions executable by the processor to cause the apparatus to generate an alert and instructions executable by the processor to cause the apparatus to halt operation of the first container. 17. The apparatus of claim 15 , wherein the instructions executable by the processor to cause the apparatus to generate the security profile comprise instructions executable by the processor to cause the apparatus to, based on analysis of the container image, determine at least one of a plurality of allowed system calls, one or more signatures of spawned processes, and a plurality of permissible actions to be performed on at le