Places like quay.io provide an analysis of known vulnerabilities for the container images they host. How can I connect that to my deployed software in Kubernetes? In other words, I want a process that will periodically:
By analogy, we can do this at the OS level by using built-in tools or external things like Nessus. I've found plenty of tools that can do a static analysis of container images; that's like the CVE database of .apt packages. How do I apply that list of image vulnerabilities to a running system?
I've found plenty of tools that can do a static analysis of container images;
That is the preferred approach indeed.
As an alternative to connect to running container, and get their image (that a docker inspect
might give you: docker inspect --format='{{.Config.Image}}' $INSTANCE_ID
), you might consider:
That is what describes Antonio Murdaca (Senior Engineer at Red Hat Inc. and one of the CRI-O guys. Docker (Moby) Core Maintainer) in "Secure your Kubernetes production cluster".
digitally sign a container image with a GPG key generating its detached signature, put the signature where it can be retrieved and verified and finally validate it when someone requests the image back on a host.
The story behind all this is pretty simple: if the signature for a given image is valid, the node is allowed to pull the image and run your containerwith it. Otherwise, your node rejects the image and fail to run your container.
That way, you only allow for running container whose image have been pre-validated.