Container Image Trust / Conformance


#1

Hi,

i am interested to learn how you control which container image runs on your cluster.

Do you care at all?
Do you allow images from outside your company (e.g docker hub)
How to check for conformance e.g how did you ensure only “trusted” base images are used?

Do you sign your containers? How do you do this?
How and where do you check these conditions?

regards


#2

This is an interesting topic I would love to hear some input on. Another question that has come up for me: How do you ensure your pods are running the latest version of your tag available? If you push a base image security fix you need to rebuild your application too but in general that would still be the same tag (if you version app images by app version).

I was thinking about a tool that queries running images and compares them to the currently available tag, but I haven’t seen such tooling yet.


#3

Every Docker image has a SHA256 digest, so it should be fairly easy to compare that against the current/trusted version in a central registry. I think most of the work in real-world deployments would be in the process around this: how do you get notified about non-compliancy, and how would you handle this?


#4

@praseodym to compare the SHA256 should be easy, but how do you add “trust” to an Container Image?


#5

Yes exactly, that is my point. I would love to hear some insight from people who solved this issue.


#6

I will be interested to know more too as I have not seen any good open source tool in this space .

But here are few options that I know .

Monitoring on Container Images can be divided into two areas -

1 – Scanning /Auditing Images before it gets deployed to Kubernetes or any other container orchestration tool .

And , in this area there are tools like JFrog Artifactory X-Ray and some Sonatype Lifecycle tools and you can integrate them with your CI Pipelines .

2 – After an image is deployed - checking/auditing/scanning Image-Version/Checksum etc. ,in this space tools like Sysdig and Aquasec are helpful .

These tools provide lots of functionality , control and security for your Kubernetes Infrastructure .

All of these tools have open source versions as well .