Container Security by Liz Rice

Author:Liz Rice [Liz Rice]
Language: eng
Format: epub
Publisher: O'Reilly Media, Inc.
Published: 2020-06-24T16:00:00+00:00

Image deployment security

The main security concern at deployment time is ensuring that the correct image gets pulled and run, although there are additional checks you might want to make through what is called Admission Control.

Deploying the right image

As you saw in “Identifying images”, container image tags are not immutable - they are can be moved to different versions of the same image. Referring to images by their digest, rather than by tag, can help ensure that the image is the version that you think it is. However, if your build system tags images with semantic versioning, and this is strictly adhered to, this may be sufficient and easier to manage since you don’t necessarily have to update the image reference for every minor update.

If you refer to images by tag, you should always pull the latest version before running in case there has been an update. Fortunately, this is relatively efficient since the image manifest is retrieved first, and image layers only have to be retrieved if they have changed.

In Kubernetes this is defined by the imagePullPolicy. An image policy to pull every time is unnecessary if you refer to images by digest, since any update would mean you have to change the digest.

Depending on your risk profile you may also want to check the provenance of the image by checking for an image signature managed by a tool like the aforementioned Notary.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.