4. Supply Chain Security

Minimize base image footprint

• minimal images, official, only necessary packages, remove shells, package managers, text editors and tools

• distroless docker images https://github.com/GoogleContainerTools/distroless

Image Security

• private repository (regestry)

  • kubectl create secret docker-registry regcred --docker-server= --docker-username= --docker-password= --docker-email=

  • Copy

    spec:
      containers:
      - name: private-reg-container
        image: <your-private-image>
      imagePullSecrets:
      - name: regcred  

Whitelist Allowed Registry - Image Policy Webhook

1. admission webhook server

2. OPA

3. ImagePolicyWebhook

   1. /etc/kubernetes/admission/admission_configuration.yaml

      Copy

      apiVersion: apiserver.config.k8s.io/v1
      kind: AdmissionConfiguration
      plugins:
        - name: ImagePolicyWebhook
          configuration:
            imagePolicy:
              kubeConfigFile: /etc/kubernetes/admission/kubeconf
              allowTTL: 50
              denyTTL: 50
              retryBackoff: 500
              defaultAllow: true

   2. /etc/kubernetes/admission/kubeconf

      Copy

      apiVersion: v1
      kind: Config
      
      # clusters refers to the remote service.
      clusters:
      - cluster:
          certificate-authority: /etc/kubernetes/admission/external-cert.pem  # CA for verifying the remote service.
          server: https://external-service:1234/check-image                   # URL of remote service to query. Must use 'https'.
        name: image-checker
      
      contexts:
      - context:
          cluster: image-checker
          user: api-server
        name: image-checker
      current-context: image-checker
      preferences: {}
      
      # users refers to the API server's webhook configuration.
      users:
      - name: api-server
        user:
          client-certificate: /etc/kubernetes/admission/apiserver-client-cert.pem     # cert for the webhook admission controller to use
          client-key:  /etc/kubernetes/admission/apiserver-client-key.pem             # key matching the cert

   3. --admission-control-config-file=/etc/kubernetes/admission/admission_configuration.yaml

      --enable-admission-plugins=NodeRestriction,ImagePolicyWebhook

Use static analysis of user workloads

• manual approach - visual check

• kubesec (https://kubesec.io/)

  • kubesec scan pod.yaml

• Conftest - OPA

kubesec run as:

• Binary https://github.com/controlplaneio/kubesec/releases

• docker container

  docker run -i kubesec/kubesec scan /dev/stdin < kubesec-test.yaml

• kubectl plugin

• admission controller (kubesec-webhook)

Scan images for known vulnerabilities (Trivy)

• crictl pull python:3.6.12-alpine3.11

• trivy image python:3.10.0a4-alpine --output /root/python_alpine.txt

• trivy image --input ruby-2.3.0.tar --output /root/python_alpine.txt -f json