Chapter 5. Securing Your Container Images

Until now, we’ve been discussing things mainly from the point of view of a Kubernetes cluster administrator. Going forward, we’ll switch gears and focus more on developers, operators, or even DevOps teams who want to deploy code to run on the cluster.

The software that you run in your Kubernetes cluster gets there in the form of container images. In this chapter, we’ll discuss how to check that your images:

  • Don’t include known critical vulnerabilities

  • Are the images you intended to use, and haven’t been manipulated or replaced by a third party

  • Meet other image policy requirements your organization might have in place

Scanning Container Images

To detect vulnerabilities, you need to use a container image scanner. The basic function of a container image scanner is to inspect the packages included in an image, and report on any known vulnerabilities included in those packages. At a minimum, this looks at the packages installed through a package manager (like yum or apt, depending on the OS distribution). Some scanners may also ...

Get Kubernetes Security now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.