VSHN.timer #54: Secure Containers

Welcome to another VSHN.timer! Every Monday, 5 links related to Kubernetes, OpenShift, CI / CD, and DevOps; all stuff coming out of our own chat system, making us think, laugh, or simply work better.

This week we’re going to talk about various useful concepts around container technology: legal issues, registries, and security.

1. From a legal point of view, it can become quite hard for companies to figure out the licensing requirements of containers. This is a very sensitive point for large corporations, particularly those who have to undergo regular audits; the layered structure of Docker containers adding layers of complexity to the equation. Thankfully the Linux Foundation has published an extensive article about the subject, providing some interesting technical details at the same time.

https://www.linuxfoundation.org/blog/2020/04/docker-containers-what-are-the-open-source-licensing-considerations/

2. There’s a new container registry in town: DigitalOcean has recently introduced their brand new container registry. The competition in a field where Docker Hub used to be all alone is getting stronger. By the way, in the same vein, Red Hat has just released Quay version 3.3.

https://www.digitalocean.com/products/container-registry/

3. Containers are now at the basis of most online infrastructure; which increases the likelihood of them being targets of attacks exploiting security failures. Pawan Shankar from Sysdig recently wrote a 12-step guide with container image scanning best practices.

https://sysdig.com/blog/image-scanning-best-practices/

4. Speaking about container security, Dockle and Trivy are container image linters, that can be very useful in CI/CD pipelines, making sure our images are safe and sound before distributing them. Both were used in the „Security Issues“ website, which sadly hasn’t seen many updates in the past few months.

https://github.com/goodwithtech/dockle

5. The tool of the week is sinker, a useful tool to automatically sync image versions from registry to registry.

https://github.com/plexsystems/sinker

Do you run your own container registry? How do you synchronize images with other registries? Do you scan your images for vulnerabilities? Get in touch with us through the form at the bottom of this page, and see you next week for another edition of VSHN.timer.

PS: For those of you interested in the subject, here are the previous container-related VSHN.timer entries: VSHN.timer #12 and VSHN.timer #17, and VSHN.timer #40. Check them out!