DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

Last call! Secure your stack and shape the future! Help dev teams across the globe navigate their software supply chain security challenges.

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Releasing software shouldn't be stressful or risky. Learn how to leverage progressive delivery techniques to ensure safer deployments.

Avoid machine learning mistakes and boost model performance! Discover key ML patterns, anti-patterns, data strategies, and more.

Related

  • Optimize Deployment Pipelines for Speed, Security and Seamless Automation
  • How Platform Engineering Is Impacting Infrastructure Automation
  • How to Build the Right Infrastructure for AI in Your Private Cloud
  • Implementing Infrastructure as Code (IaC) for Data Center Management

Trending

  • Comparing SaaS vs. PaaS for Kafka and Flink Data Streaming
  • Building Scalable and Resilient Data Pipelines With Apache Airflow
  • Power BI Embedded Analytics — Part 2: Power BI Embedded Overview
  • *You* Can Shape Trend Reports: Join DZone's Software Supply Chain Security Research
  1. DZone
  2. Software Design and Architecture
  3. Security
  4. Securing Your Infrastructure and Services During the Distribution Phase

Securing Your Infrastructure and Services During the Distribution Phase

Scan images, manifests, and sign the artifacts to ensure integrity and trust while distributing and deploying your services.

By 
Siri Varma Vegiraju user avatar
Siri Varma Vegiraju
DZone Core CORE ·
Apr. 21, 25 · Tutorial
Likes (1)
Comment
Save
Tweet
Share
6.8K Views

Join the DZone community and get the full member experience.

Join For Free

In the previous article, we discussed how to incorporate security during the design phase of the software development life cycle. Some of the strategies included threat modeling, static analysis, and code reviews. Now it is time to move past the design phase to the distribution phase.


The distribution phase involves three different steps again.

  • Static Analysis
  • Image and Manifest Scan
  • Signing

We already discussed static analysis so we will directly go image scan and signing.

Image Scanning

One main criteria for services to run and scale in the cloud is to deploy them in containers, and containers are created from images. The images can in turn inherent from other base images and define dependencies. To keep our services secure, it is important to address vulnerabilities coming from all these places. For example: 

Dockerfile
 
# Use official Python image as a base
FROM python:3.11-slim

# Set environment variables
ENV PYTHONDONTWRITEBYTECODE=1
ENV PYTHONUNBUFFERED=1

# Set work directory
WORKDIR /app

# Install dependencies
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Copy project files
COPY . .

# Run the app
CMD ["python", "app.py"]


In the Dockerfile above, the base image comes from a Python base image. Then we have a requirements.txt with a set of packages installed using the pip command. So how do we make sure this base image and its dependencies being installed do not have critical or high vulnerabilities? We could use open-source tools like Trivy or Clair that can perform a scan and notify us about possible vulnerabilities.

Screenshot after running the trivy.exe image scan on the container.


The output we see is after running the trivy.exe image scan on the container. 

PowerShell
 
 docker build -f .\Dockerfile.dockerfile -t my-app:latest .

./trivy.exe image myapp:latest


In total we have 1 high and critical vulnerability and 28 medium vulnerabilities. Normally, critical vulnerabilities are the ones that need immediate attention. You could configure your build to fail when there are serious vulnerabilities because they could be exploited to infiltrate the services.

Another best practice to maintain low vulnerability count is to limit the number of available base images. Simply put, minimal base image recommends only install required dependencies and reduce the number of layers. As a result, you have fewer dependencies to deal with and less churn to impact your development lifecycle.

Manifest Scan

With the raise of Kubernetes workloads, the configurations are defined in a manifest file. The configuration in the file acts as a source of truth for the Kubernetes control plane when it has to bring up the cluster or pods. 

YAML
 
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 3
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
        - name: nginx
          image: nginx:1.21
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 80
      targetPort: 80
  type: LoadBalancer


The above manifest file describes:

Deployment: 

  • Deploys 3 replicas of the Nginx container
  • Uses the nginx:1.21 image 
  • Exposes port 80 inside the pod

Service:

  • Selects pods labeled app: nginx
  • Exposes port 80 and forwards it to the pod's port 80 
  • Uses LoadBalancer to expose it externally

Running services as root without setting resource limits is considered dangerous as a DDoS attack will drastically increase the container count and drive your infrastructure costs up. To identify such vulnerabilities we could run a Trivy scan on the manifest file we previously discussed.

PowerShell
 
.\trivy.exe config .\k8.yaml


Each vulnerability shows an identifier, a description, and where in the file the vulnerability is coming from. For example, AVD-KSV-0012 shown below talks about specifying readOnlyRootFilesystem flag to true to make sure nobody is able to write to the underlying file system.

Plain Text
 
AVD-KSV-0012 (MEDIUM): Container 'nginx' of Deployment 'nginx-deployment' should set 
'securityContext.runAsNonRoot' to true
════════════════════════════════════════
Force the running image to run as a non-root user to ensure least privileges.

See https://avd.aquasec.com/misconfig/ksv012
────────────────────────────────────────
 k8.yaml:16-19
────────────────────────────────────────
  16 ┌         - name: nginx
  17 │           image: nginx:1.21
  18 │           ports:
  19 └             - containerPort: 80
────────────────────────────────────────


AVD-KSV-0014 (HIGH): Container 'nginx' of Deployment 'nginx-deployment' 
should set 'securityContext.readOnlyRootFilesystem' to true
════════════════════════════════════════
An immutable root file system prevents applications from writing to their local disk.
This can limit intrusions, as attackers will not be able to tamper with the 
file system or write foreign executables to disk.

See https://avd.aquasec.com/misconfig/ksv014
────────────────────────────────────────
 k8.yaml:16-19
────────────────────────────────────────
  16 ┌         - name: nginx
  17 │           image: nginx:1.21
  18 │           ports:
  19 └             - containerPort: 80
────────────────────────────────────────


AVD-KSV-0015 (LOW): Container 'nginx' of Deployment 'nginx-deployment' should set 
'resources.requests.cpu'
════════════════════════════════════════
When containers have resource requests specified, the scheduler can make better
decisions about which nodes to place pods on, and how to deal with resource contention.

See https://avd.aquasec.com/misconfig/ksv015
────────────────────────────────────────
 k8.yaml:16-19
────────────────────────────────────────
  16 ┌         - name: nginx
  17 │           image: nginx:1.21
  18 │           ports:
  19 └             - containerPort: 80
────────────────────────────────────────


Scanning is an important phase in the distribution lifecycle as it ensures the artifacts being deployed or released to customers are secure and resilient against common cybersecurity and supply chain attacks.

Artifact Signing

Last but not the least is signing. Signing artifacts serves as a proof of their authenticity, integrity, and trust for components such as:

  • Container 
  • Images 
  • Binaries Manifests (like Helm charts, Kubernetes YAMLs) Packages

When a pod comes up, we can write custom policies to ensure only images that can be verified using their signatures are allowed to run. Cosign and Notary are some open-source tools that can be used to verify the image signature.

PowerShell
 
cosign sign --key cosign.key myrepo/myapp:latest
cosign verify --key cosign.pub myrepo/myapp:latest


The cosign sign command is used to sign a container image using your private key. Then, consumers of the image can use cosign verify to ensure it was signed by the expected provider.

Conclusion

Scan your artifacts to ensure they are free from vulnerabilities, then sign them to safeguard both you and your customers from supply chain attacks. These are fundamental steps in shipping a secure infrastructure for your customers.

Infrastructure Distribution (differential geometry)

Opinions expressed by DZone contributors are their own.

Related

  • Optimize Deployment Pipelines for Speed, Security and Seamless Automation
  • How Platform Engineering Is Impacting Infrastructure Automation
  • How to Build the Right Infrastructure for AI in Your Private Cloud
  • Implementing Infrastructure as Code (IaC) for Data Center Management

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!