Certified Kubernetes Security Specialist (CKS) Preparation Part 7 — Supply Chain Security

If you have not yet checked the previous parts of this series, please go ahead and check Part1, Part2, Part3, Part4, Part5 and Part6.

In this article, I would focus on the preparation around supply chain security in CKS certification exam.

Docker Image Management

To be honest, I have never really gotten familiar with Docker image as I seldom get the chance to go to that stage of the pipeline. However, in this exam, we would need to have the general idea of how Docker image works and what would be the practice of making this process safe and efficient.

Basically, the two principles below are for reducing Docker image size. This article provides great explanation around this.

  • Light-weight Image as base
  • Multi-stage Build

In practice, we could test buy creating a container running with original Docker file and we are seeing the image consists around 690 MB.

If we apply the 2 principles above,

we would see Docker image size being hugely reduced. Mainly, this is because from the second stage (stage 1), it just acquires that components needed from the first stage (stage 0) and that removes a lot of unnecessary files.

With 4 principles below, we could make Docker image more secure.

  • Use specific package versions
  • Do not run as root
  • Make file system read only
  • Remove shell access

Make sure the Docker image still runs after updating the Dockerfile.

Image Security — Trivy

Since we would be running all kinds of Docker image within containers (Pods), one extremely important thing is to ensure container images are always without security concern. Trivy was developed for this sole purpose and it is extremely easy to use.

Trivy could be installed through OS and run as a service or simply run the service inside a Docker container. General guidance on Trivy commands to scan container images. In this article, we would run Trivy inside a Docker container.

docker run ghcr.io/aquasecurity/trivy:latest image nginx

Search container images with CRITICAL severity.

docker run ghcr.io/aquasecurity/trivy:latest image nginx | grep CRITICAL

Once we get the details on container image vulnerability, we could look it up in the national vulnerability database.

Maybe we could take a look at the container images kube-apiserver is using.

- kubectl get pods -n kube-system | grep api
- kubectl get pods kube-apiserver-cks-master -n kube-system -o yaml | grep image
docker run ghcr.io/aquasecurity/trivy:latest image k8s.gcr.io/kube-apiserver:v1.20.2

At the end of the day, please ensure all services and applications are running on container images with no major security concerns.

Image Policy Webhook

Image Policy Webhook is the connecting piece of letting backend admission controller to go through external server for checking image security and integrity before making any CRUD operation on K8s clusters.

An admission controller is a piece of code that intercepts requests to the Kubernetes API server prior to persistence of the object, but after the request is authenticated and authorized. The controllers consist of the list below, are compiled into the kube-apiserver binary, and may only be configured by the cluster administrator. In that list, there are two special controllers: MutatingAdmissionWebhook and ValidatingAdmissionWebhook. These execute the mutating and validating (respectively) admission control webhooks which are configured in the API.

— Quoted from here

First, we add “ImagePolicyWebhook” at the end of admission plugins.

sudo nano /etc/kubernetes/manifests/kube-apiserver.yaml

Configure host path to ensure Image Policy Webhook could actually get to the directory holding admission configuration files.

After setting kube-apiserver to point to the right path for setting up admission configuration, please head over to that specific folder and file. The information within the file should show how Image Policy would be operating on this cluster.

We notice there is K8s configuration setup, which is for admission controller to have corresponding credentials to communicate with external image-checking server and kube-apiserver.

After setup everything correctly, if we try to deploy an image without security-compliant container image, we should be error messages similar to below

Error from server (Forbidden): pods "test" is forbidden: Post "https://xxxx:xxxx/xxxx?timeout=30s": dial tcp:....

For more details on how to setup and what to setup in Image Policy Webhook, please check this section of the official documentation.

That briefly covers the how to avoid having vulnerable container image in K8s cluster. One thing I did not include in this article is using Open Policy Agent (OPA) for only using whitelisted container images for deploying applications/services, because I think if you have followed this series, you already have a general idea on how to setup that in OPA! Happy learning!

Learning new things about Kubernetes every day. Hopefully, the learning notes could help people on the same journey!