Chapter 6. Supply Chain Security
Earlier chapters primarily focused on securing the Kubernetes cluster and its components, the OS infrastructure used to run cluster nodes, and the operational aspects for running workload on a cluster node with existing container images. This chapter takes a step back and drills into the process, best practices, and tooling for designing, building, and optimizing container images.
Sometimes, you do not want to create your own container image but instead consume an existing one produced by a different team or company. Scanning container images for known vulnerabilities in a manual or automated fashion should be part of your vetting process before using them to run your workload. We’ll talk through some options relevant to the CKS exam used to identify, analyze, and mitigate security risks for pre-built container images.
At a high level, this chapter covers the following concepts:
-
Minimizing base image footprint
-
Securing the supply chain
-
Using static analysis of user workload
-
Scanning images for known vulnerabilities
Minimizing the Base Image Footprint
The process for building a container image looks straightforward on the surface level; however, the devil is often in the details. It may not be obvious to someone new to the topic to refrain from building a container image that is unnecessarily too large in size, riddled with vulnerabilities, and not optimized for container layer caching. We’ll address all of those aspects in the course ...
Get Certified Kubernetes Security Specialist (CKS) Study Guide now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
