4. Supply Chain Security

Minimize base image footprint

minimal images, official, only necessary packages, remove shells, package managers, text editors and tools
distroless docker images https://github.com/GoogleContainerTools/distroless

Image Security

private repository (regestry)
- kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email=
- spec: containers: - name: private-reg-container image: <your-private-image> imagePullSecrets: - name: regcred

Whitelist Allowed Registry - Image Policy Webhook

admission webhook server
OPA

ImagePolicyWebhook

/etc/kubernetes/admission/admission_configuration.yaml

apiVersion: apiserver.config.k8s.io/v1
kind: AdmissionConfiguration
plugins:
  - name: ImagePolicyWebhook
    configuration:
      imagePolicy:
        kubeConfigFile: /etc/kubernetes/admission/kubeconf
        allowTTL: 50
        denyTTL: 50
        retryBackoff: 500
        defaultAllow: true

/etc/kubernetes/admission/kubeconf

apiVersion: v1
kind: Config

# clusters refers to the remote service.
clusters:
- cluster:
    certificate-authority: /etc/kubernetes/admission/external-cert.pem  # CA for verifying the remote service.
    server: https://external-service:1234/check-image                   # URL of remote service to query. Must use 'https'.
  name: image-checker

contexts:
- context:
    cluster: image-checker
    user: api-server
  name: image-checker
current-context: image-checker
preferences: {}

# users refers to the API server's webhook configuration.
users:
- name: api-server
  user:
    client-certificate: /etc/kubernetes/admission/apiserver-client-cert.pem     # cert for the webhook admission controller to use
    client-key:  /etc/kubernetes/admission/apiserver-client-key.pem             # key matching the cert

--admission-control-config-file=/etc/kubernetes/admission/admission_configuration.yaml
--enable-admission-plugins=NodeRestriction,ImagePolicyWebhook

Use static analysis of user workloads

manual approach - visual check
kubesec (https://kubesec.io/)
- kubesec scan pod.yaml
Conftest - OPA

kubesec run as:

Binary https://github.com/controlplaneio/kubesec/releases
docker container
docker run -i kubesec/kubesec scan /dev/stdin < kubesec-test.yaml
kubectl plugin
admission controller (kubesec-webhook)

Scan images for known vulnerabilities (Trivy)

crictl pull python:3.6.12-alpine3.11
trivy image python:3.10.0a4-alpine --output /root/python_alpine.txt
trivy image --input ruby-2.3.0.tar --output /root/python_alpine.txt -f json

Previous3. Minimize Microservice Vulnerabilities Next5. Monitoring, Logging and Runtime Security

Last updated 2 years ago

hashtagMinimize base image footprint

hashtagImage Security

hashtagWhitelist Allowed Registry - Image Policy Webhook

hashtagUse static analysis of user workloads

hashtagkubesec run as:

hashtagScan images for known vulnerabilities (Trivy)

Minimize base image footprint

Image Security

Whitelist Allowed Registry - Image Policy Webhook

Use static analysis of user workloads

kubesec run as:

Scan images for known vulnerabilities (Trivy)