A Zero Trust Approach for Securing the Supply Chain of Microservices Packaged as Container Images

base image as a basis for microservices
  • Base image has key components such as OS, language frameworks, key libraries, and common code
  • Base container image is stored in a secure private container registry close to the rest of the infrastructure therby lowering latency
quarkus-hello-service container image built from quarkus-base-image
  • quarkus-base-image container image should be digitally signed so that it can be verified by consumers
  • quarkus-hello-service container image is built from the secure and verified quarkus-base-image
  • qaurkus-hello-service container image should be digitally signed so that it can be verified by consumers
  • quarkus-hello-service microservice should only run on the Kubernetes/OpenShift platform if its image has a valid digital signature.
  • Attestation or evidence of the build process

Description of the Solution

Zero trust supply chain security solution for container images
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3ARG JAVA_PACKAGE=java-11-openjdk-headlessARG RUN_JAVA_VERSION=1.3.8ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'# Install java and the run-java script# Also set up permissions for user `1001`RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \&& microdnf update \&& microdnf clean all \&& mkdir /deployments \&& chown 1001 /deployments \&& chmod "g+rwX" /deployments \&& chown 1001:root /deployments \&& curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \&& chown 1001 /deployments/run-java.sh \&& chmod 540 /deployments/run-java.sh \&& echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/conf/security/java.security
FROM docker.io/gkovan/quarkus-base-image:1.0LABEL base.image="docker.io/gkovan/quarkus-base-image:1.0"ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/COPY --chown=1001 target/quarkus-app/*.jar /deployments/COPY --chown=1001 target/quarkus-app/app/ /deployments/app/COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/EXPOSE 8080USER 1001ENTRYPOINT [ "/deployments/run-java.sh" ]
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: check-imagespec:  validationFailureAction: enforce  background: false  rules:    - name: check-image      match:        resources:          kinds:            - Pod      verifyImages:      - image: "docker.io/gkovan/*"        key: |-        -----BEGIN PUBLIC KEY-----    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtwDUUcAVE4dJj623tCNy9WrYfgJngPqTAl4hkXdXMG1jk36OGxzwefjQO7XV37i0kJrWssfggVGxa0GoXryWVw==        -----END PUBLIC KEY-----

--

--

--

IBMer, software engineer, Canadian living in New York, husband, father and many other things.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

InterSystems Python Contest

THE NET application

Programmer’s Professionalism

What I’ve learned from Developing Probot Playground

AWS Introduction- Part 1- Day 0

Scala 3 Macros without Pain

Alibaba Cloud Linux 2 LTS: Higher Performance with Greater Protection

Rewriting the Execution Plan in the EMR Spark Relational Cache

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gerry Kovan

Gerry Kovan

IBMer, software engineer, Canadian living in New York, husband, father and many other things.

More from Medium

2021 Wrap-Up: Announcing Emissary-ingress 2.1, Telepresence 2.4.9

Export JMX metrics from Confluent KSQL to Datadog

Runtime Control: Why I Joined Glasnostic

Headshot with computer code by @markusspiske

Service Mesh in 2021: the ecosystem is emerging