A Secure Supply Chain for Kubernetes, Part 2

Staff - August 22, 2018 -

Mirants Kubernetes Engine (formerly Docker Enterprise Edition) is able to secure the software supply chain for Kubernetes; just as it does for Docker Swarm through a combination of scanning for vulnerabilities and implementing image promotion policies. In this blog, we’ll take a closer look at another part of this solution – Docker Content Trust and image signing.
When combined with granular Role Based Access Controls [RBAC] and the secure clustering features of Docker EE, organizations get a secure container platform solution that is ready for the enterprise.

Restricting unverified Kubernetes content

As discussed in Part 1 of this blog post, organizations typically have a “supply chain” for how applications progress from a developer’s laptop to production, whether that is on-premises or in the cloud. For larger organizations, the team that handles QA and testing is not always the same team that develops the applications. There may also be a separate team that handles staging and pre-production before an application is pushed to production. Since an application can pass through several teams before it gets deployed, it’s important for organizations to be able to validate the source of the application.

Docker Content Trust is a way for individuals and teams to add private cryptographic signatures to an image, adding a digital signature that helps to ensure proof-of-origin, authenticity and provenance for images. With Docker EE, you can ensure that the images being deployed are the ones you trust and haven’t been altered either in the image registry or on their way from the image registry to your environment by choosing to only run signed images:

In the context of Kubernetes, this means that Docker EE will prevent any workloads from being deployed on the cluster if the underlying images used have not been signed by members of specific teams.

This can be used to enforce image signing at certain stages of your supply chain: when the developer checks in the initial image, when the QA team has completed testing, when the security and networking team has reviewed the app, etc. If an image has missed any of the required signatures, Docker EE will prevent it from being deployed. This allows operations teams to prevent unauthorized content from being deployed into Kubernetes.

Integration of Docker Content Trust to Your Automated Workflow

Image signing does not have to come from an individual or team. It can also be extended to authorized 3rd party tools to indicate that the image build came from an approved workflow. Docker EE makes this simple by giving you the ability to create and manage client bundles within the Docker EE UI. Docker EE creates a keypair that can be used by Continuous Integration (CI) tools like Jenkins or GitLab to sign images as they are created and added to the repository. Learn more about using trusted images with Jenkins here.

Docker EE helps you deliver safer applications by securing your software supply chain. No matter what type of applications you are containerizing (legacy, cloud native, or microservices), the stack it is built for (Windows or Linux), or where it will be deployed (on-prem or the cloud), image vulnerability scanning, automated image promotions, and image signing all give you the ability to enforce a common workflow for the governance and automation of your application delivery process.

Learn more about Docker Enterprise Edition with Kubernetes integration:

From Virtualization to Containerization
Learn how to move from monolithic to microservices in this free eBook
Download Now
Radio Cloud Native – Week of May 11th, 2022

Every Wednesday, Nick Chase and Eric Gregory from Mirantis go over the week’s cloud native and industry news. This week they discussed: Docker Extensions Artificial Intelligence shows signs that it's reaching the common person Google Cloud TPU VMs reach general availability Google buys MobileX, folds into Google Cloud NIST changes Palantir is back, and it's got a Blanket Purchase Agreement at the Department of Health and Human …

Radio Cloud Native – Week of May 11th, 2022
Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!

In the last several weeks we have released two updates to Mirantis Container Cloud - versions 2.16 and 2.17, which bring a number of important changes and enhancements. These are focused on both keeping key components up to date to provide the latest functionality and security fixes, and also delivering new functionalities for our customers to take advantage of in …

Where do Ubuntu 20.04, OpenSearch, Tungsten Fabric, and more all come together? In the latest Mirantis Container Cloud releases!
Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]

Cloud environments & Kubernetes are becoming more and more expensive to operate and manage. In this demo-rich workshop, Mirantis and Kubecost demonstrate how to deploy Kubecost as a Helm chart on top of Mirantis Kubernetes Engine. Lens users will be able to visualize their Kubernetes spend directly in the Lens desktop application, allowing users to view spend and costs efficiently …

Monitoring Kubernetes costs using Kubecost and Mirantis Kubernetes Engine [Transcript]
Technical training
Learn Kubernetes & OpenStack from Deployment Experts
Prep for certification!
View schedule
The Definitive Guide to Container Platforms
Mirantis Webstore
Purchase Kubernetes support