Secure All Software - Issue #12 - Containers and Kubernetes
Thoughts
Unverified container images can do a lot of harm to a company. Running applications in containers is widely adopted and many companies use them. Very few companies have a guideline on how to use and secure these tools. Anyone can choose any image on services like dockerhub and deploy them, but what is actually running in those containers is hard to inspect. Anyone can publish an image on any service and distribute their own version.
Here are a few easy things to do that reduce the risk.
Only use official images that are maintained by the projects you use. This reduces the risk of a malicious actor injecting something by a lot. It could still be that someone takes over an account and modifies the originals. Unfortunately tags can be overwritten and there is not a widely adopted signing mechanism yet. To prevent this from happening, push the images you are using to your own registry and sync updates after you inspect them.
If you need a customized version of an image, build it yourself. This might cause some extra work, but will reduce the risk tremendously. Keep your version as close as possible to the original. This will make maintenance and updates easier in the future. Do not rely on someone’s customized version, it is very likely this won’t be updated and receive the necessary care. The base images for your own applications should be based on some form of minimal Linux like Alpine Linux or Distroless. Based on these you can build your application container from the ground up and own the full setup.
Using simple and lightweight distributions ensures slim images that are easy to maintain and upgrade. Try to stick to as little Linux variations as possible to reduce maintenance overhead.
Enable container scanning for known vulnerabilities in the OS but also in your dependencies on your registry. In the past you would have one version of an OS rolled out to multiple instances. With containers and technologies like Kubernetes, we have a multitude of variations and versions that need to be checked and kept up to date.
What other ways to improve the security of your images do you know? Let me know at andy@occamslabs.com
Links 🔗
Things I have been reading reading and tools I find useful.
A deeper dive into securing containerized environments.
Thank you for reading
If you found this newsletter useful please forward it to someone who might also get some value out of it. Let me know if you found something interesting to share, or have some feedback for the next issue at andy@occamslabs.com.
Have a fantastic day,
Andy