Oracle Container Image Scanning, Signing, and Verification
Introduction
Oracle Cloud Infrastructure (OCI) supports container image Scanning, Scanning, and Verification. This suite of capabilities will help you ensure the security of your cloud-native software deployments.
Imagine a software development team working to deliver a business-critical application that passes sensitive data. A developer commits code to a continuous integration and continuous delivery (CI/CD) tool kicking off a build process. Then, the CI/CD tool pushes the newly built container image to an Oracle Cloud Infrastructure Registry (OCIR) repository and when ready, the new image is deployed to a production OCI Container Engine for Kubernetes (OKE) cluster.
While this sounds like a reasonable CI/CD process, it is missing few key steps. Critical to shipping compliant and secure containers, system administrators need to be able to ensure container images:
- Are free of known critical vulnerabilities that can either cause an accidental system failure or result in malicious activity.
- Have not been modified since they were published, such as in a way that would compromise their integrity.
- Can only be deployed to a Kubernetes cluster only when they are satisfied they comes from a trusted source.
OCI Container Image Scanning, Signing, and Verification address all three of these secure container deployment needs.
Scanning images
OCI Registry enables users or systems to push container images to repositories. You can now enable scanning of container images stored in OCI Registry for security vulnerabilities published in the publicly available Common Vulnerabilities and Exposures (CVE) database. Once repository scanning is enabled, the OCI Vulnerability Scanning service will scan any images you push into the repository and images that are already present. Repositories with scanning enabled will be automatically rescanned when new vulnerabilities are added to the list of threats. For every scanned image, you can view the scan results, the risk level for each scan, and the description of each vulnerability, along with the link to the CVE database.
Signing and verifying images
To ensure images are not modified after being pushed, you can now sign an image in OCI Registry using master encryption keys stored in OCI Vault. You can view signatures and verify the image signatures have not changed, ensuring the integrity of the image has not been compromised.
Finally, you can configure OCI Container Engine for Kubernetes with a cluster-specific policy to allow only container images in OCI Registry that have been signed by particular master encryption key to be deployed to a cluster. Images without the correct signature will be denied.
Bringing it all together
With all of these tools working together, users or systems can be confident that only resilient images from a trusted source are deployed to their mission-critical Kubernetes clusters. Imagine the previously mentioned software development team adopts OCI Container Image Scanning, Signing, and Verification. Once a developer commits code a build process is kicked off and their CI/CD tool pushes the newly built container image to an OCIR repository with scanning enabled:
- OCI Vulnerability Scanning service scans the image upon ingestion.
- A security administrator reviews the vulnerability score.
- After determining the vulnerability score is acceptable, they sign the image with an asymmetric key stored in the OCI Vault service.
- A Kubernetes administrator configures a policy requiring all images deployed to the production cluster to be signed by the security administrator’s key.
- A developer deploys a manifest to the Kubernetes cluster that references the container image, and because the signature on the image matches the signature in the policy, the image is successfully deployed to the cluster.
Want to know more?
To learn more or get hands-on, use the following resources:
- Learn about OCI Registry Image Scanning
- Learn about OCI Registry Image Signing
- Learn about Fully Private Kubernetes clusters and Enforcing the Use of Signed Images.
- Learn about Oracle Cloud Infrastructure Registry
- Learn about Oracle Cloud Infrastructure Vault.
- Access OKE resource center for product details and testimonials.
- Get started with Oracle Cloud Infrastructure today with our Oracle Cloud Free Tier.
Originally published on blogs.oracle.com
