i am interested to learn how you control which container image runs on your cluster.
Do you care at all?
Do you allow images from outside your company (e.g docker hub)
How to check for conformance e.g how did you ensure only “trusted” base images are used?
Do you sign your containers? How do you do this?
How and where do you check these conditions?
This is an interesting topic I would love to hear some input on. Another question that has come up for me: How do you ensure your pods are running the latest version of your tag available? If you push a base image security fix you need to rebuild your application too but in general that would still be the same tag (if you version app images by app version).
I was thinking about a tool that queries running images and compares them to the currently available tag, but I haven’t seen such tooling yet.
Every Docker image has a SHA256 digest, so it should be fairly easy to compare that against the current/trusted version in a central registry. I think most of the work in real-world deployments would be in the process around this: how do you get notified about non-compliancy, and how would you handle this?