Managing and Securing Container Images in a Registry

There’s no doubt that cloud native services and practices boost developer productivity, and that’s a key reason why enterprises are turning to Kubernetes in droves. But as organizations put containerized applications into production, they quickly discover another fundamental truth: They need a secure way to store, scan, and sign their container images. A container image registry without management and security steeps your cloud native environment in risk.

Container Images and Inherent Risk

Why? Because container images present security challenges: Images can be built by layering other images, which can contain vulnerabilities, and those vulnerabilities can find their way into production systems. Defects and malware can also mar container images.

All these risks shift from possible to probable when the provenance of a container is dubious or unknown. Developers can also freely pull images from remote repositories of unknown trustworthiness. Although the portability of containers makes it easy to obtain an image and run it to solve an immediate problem, using untrusted images in haste can introduce malware into an environment, lead to a data breach, or highlight a vulnerability. An image of unknown origin or with unknown base layers can contain malicious files.

To make matters worse, container images can be spoofed.

Insecure Registries Add Another Layer of Risk

The risk starts with insecure connectivity. Allowing connections to a registry over an insecure channel gives attackers a vector that can be exploited to expose proprietary services or embedded secrets, steal credentials, or send spoofed images to an orchestrator.

Another risk is that without vigilance, vulnerable versions of images can linger in the registry, leading to accidental use. Curating is key to keeping images scanned, patched, up to date, and signed as trusted.

The most important risk probably centers on inadequate authentication and access control. A compromised registry can lead to contaminated containers, intellectual property theft, and many other risks. Clinical countermeasures include authentication with a standard directory service and role-based access control that applies the principle of least privilege and separation of duties.

Key Countermeasures for the Container Registry

  • Scan images for vulnerabilities by using the Common Vulnerabilities and Exploits database.

  • Sign images as known and trusted by using a notary.

  • Set up secure, encrypted channels for connecting to the registry.

  • Authenticate users and control access by using existing enterprise accounts managed in a standard directory, such as Active Directory.

  • Tightly control access to the registry by using the principles of least privilege and separation of duties.

  • Enact policies that let users consume only those images that meet your organization's thresholds for vulnerabilities.

Harbor: A Secure Image Registry

Harbor is an open source private image registry hosted by the CNCF that scans, secures, and signs container images.

Harbor scans images for Common Vulnerabilities and Exposures (CVEs) with Clair to prevent container images with vulnerabilities from running in your data center. Check out this video to see how to scan images for vulnerabilities with Harbor:

Harbor integrates with Active Directory or LDAP and provides role-based access control so that you can securely store images behind your firewall.

Harbor signs images as trusted by using Notary. You can also set policies that prevent vulnerable or untrusted images from being used in production.

Vulnerability Scanning

Containers often use base images of operating systems like Ubuntu and CentOS from a public image repository, such as DockerHub. The packages of an operating system and the applications on it, however, can contain vulnerabilities.

Traditionally, IT operations would patch operating systems on a regular basis, but with cloud-native work streams, IT operations does not manage base images and other packages. Instead, developers select them on demand as they build or extend an application.

Vulnerability scanning helps prevent the exploitation of known vulnerabilities and reduces the risk of security breaches. Identifying a vulnerability of an image and keeping the vulnerability from going into production reduces the attack surface of a containerized application.

The Harbor image registry scans images with Clair to help prevent images with known vulnerabilities from running in your data center. With Harbor, you can automate the scanning of images or scan them manually.

Clair is an open source project that statically analyzes containers to render vulnerabilities transparent. Clair works by continuously importing metadata about vulnerabilities from various sources, including Common Vulnerabilities and Exposures (CVEs), and storing the metadata in a database. When Harbor scans an image, Harbor checks the database through the Clair API and produces a list of vulnerabilities.

As a cloud administrator, you can control the vulnerability level of images you deploy. Vulnerabilities are classified as high, medium, low, and unknown. Harbor also identifies the severity levels of vulnerabilities. You can also restrict the images deployed to an endpoint to only ones that have been signed by the Notary in Harbor.

Establishing Content Trust with Notary

Because images are the building blocks of a containerized application, a security best practice is to use signed container images from a trusted registry. Harbor establishes trust by letting publishers sign images when they push them into the repository and by preventing unsigned images from being pulled from the repository.

The Notary services of the Harbor private registry can furnish project-level content trust to container images to ensure that only trusted images are used as developers create their own layered images, automate the building of an container, or select images for use as the building blocks of an application.

Image and Registry Security in the Software Development Pipeline

Harbor works in the context of a development pipeline to manage and secure container images. Here's an diagram that illustrates Harbor's role in a cloud native pipeline:

Find Out More

Last updated