With KubeCon EU happening in Copenhagen, we looked back at the most popular posts with our readers on Docker and Kubernetes. For those of you that have yet to try Docker EE 2.0, this blog highlights how Docker EE 2.0 provides a secure supply chain for Kubernetes.
The GA release of the Docker Enterprise Edition (Docker EE) container platform last month integrates Kubernetes orchestration, running alongside Swarm, to provide a single container platform that supports both legacy and new applications running on-premises or in the cloud. For organizations that are exploring Kubernetes or deploying it in production, Docker EE offers integrated security for the entire lifecycle of a containerized application, providing an additional layer of security before the workload is deployed by Kubernetes and continuing to secure the application while it is running.
What is a Software Supply Chain?
When you purchase something from a retail store, there is an entire supply chain that gets the product from raw materials to the manufacturer to you. Similarly, there is a software supply chain that takes an application from code on a developer’s laptop to production.
Every company’s software supply chain may be slightly different; some outsource software development, some have adopted Continuous Integration and Continuous Delivery processes, and some deploy production applications across multiple clouds, some on-premises. Regardless of what the software supply chain consists of, Docker EE provides a set of solutions that integrates with your workflows while ensuring that applications remain secure, trusted and safe through all of these steps using both Kubernetes and Swarm.
In this week’s blog, we’ll take a closer look at one part of this solution – image scanning and policy-based image promotions.
Secure Automation of Workflows for Kubernetes
Before an application is deployed in production, organizations typically want to know that it does not have any known vulnerabilities that often come from older releases or unpatched versions of software. It’s also difficult for large organizations to keep a full inventory of every application they have running that may be affected by a new vulnerability.
Docker EE provides image security scanning to help organizations both identify vulnerabilities before the applications are deployed in production and to alert you when new vulnerabilities affect existing applications. This is done by executing a binary-level scan of your images against the NIST list of known vulnerabilities. As shown below, each layer of an image can be thoroughly scanned to provide insight into the workload.
Docker EE also has the ability to define policies to automate the movement of images between repositories. These image promotion policies can be combined with the results of security scanning to create a secure, automated workflow for images moving to production.
For example, a developer is working on a new Kubernetes project with access to the ‘dev’ repository from which they can push and pull images. The repository is set up with image scanning to automatically scan all images when they are pushed to the repository. When the developer is ready to move this into production, they add a specific tag like “latest” to the image. Their repository is set up with an image promotion policy that states that if an image has the “latest” tag and has no critical vulnerabilities, it gets automatically copied or promoted to the ‘QA’ repository.
In this example, only the QA team has access to the QA folder, limiting access to only those who require it. This policy also ensures that developers are responsible for fixing any vulnerabilities before they are passed on to the QA team.
By combining these Docker EE capabilities, organizations can:
- Automate the movement of images between repositories at scale
- Enforce security scanning practices at certain stages of development
- Prevent applications with known vulnerabilities from being deployed in production
- Limit the access to sensitive repositories (like ‘production’) to only those who require it, while still removing bottlenecks in the process by defining appropriate policies
These are all critical workflows that happen prior to the app being deployed in production with Kubernetes. With Docker EE you get the only container platform with integrated security across the entire supply chain. For more information about Docker’s Secure Supply Chain for Kubernetes watch the following on-demand video:
Learn more about Docker Enterprise Edition with Kubernetes integration: