Using image scanning to make our environments safer
At YOOX NET-A-PORTER GROUP, we build and deploy thousands (literally!) of containers daily. To keep our Kubernetes environments safe, we strive to follow best practices. However, securing Docker containers is a broad topic.
We follow best practices such as never allowing them to run as root, only using official base images, and reducing the attack surface by avoiding the presence of unneeded packages. On top of that, we implemented image security scanning via AWS ECR.
By default, every image gets scanned when pushed to the repository. Still, unless we force everyone to check the scanning results, we need a way to be sure we do not deploy images with vulnerabilities in our environments.
We don’t like to rely on manual processes and in the SRE team we are big on automating and monitoring everything.
So that’s why we created a small Go application called k8s-radar, which is a simple tool that will, for a given list of images, automatically check and report the vulnerabilities found by our image scanning service. We can then plug-in those results into our monitoring tools, chat or our deployment pipelines. Let’s take a look at what this looks like in practice.
We run k8s-radar daily through our environments and report the results back to Slack, so everyone is aware when a new issue is found.
But, of course, we do not want to wait until the image is running somewhere to report vulnerabilities, so we plugged k8s-radar into our deployment pipelines. If k8s-radar finds a vulnerability in one of the images that are going deployed, the job will fail.
We plan to make the k8s-radar run smoothly in a Kubernetes cluster and support more registries like Quay.io and are looking into the possibility of open-sourcing k8s-radar soon. Stay tuned for more!
If you are interested in this or working with me on other technical solutions you can read out to me at gullwing.io.