A Zero Trust Approach for Securing the Supply Chain of Microservices Packaged as Container Images

base image as a basis for microservices
  • Base image has key components such as OS, language frameworks, key libraries, and common code
  • Base container image is stored in a secure private container registry close to the rest of the infrastructure therby lowering latency
quarkus-hello-service container image built from quarkus-base-image
  • quarkus-base-image container image should be digitally signed so that it can be verified by consumers
  • quarkus-hello-service container image is built from the secure and verified quarkus-base-image
  • qaurkus-hello-service container image should be digitally signed so that it can be verified by consumers
  • quarkus-hello-service microservice should only run on the Kubernetes/OpenShift platform if its image has a valid digital signature.
  • Attestation or evidence of the build process

Description of the Solution

The following diagram shows the key components of the overall solution. The solution leverages new open source tools that have been developed by the Sigstore project for digitally signing and verifying container images. The solution also leverages the Kyverno policy engine which is a Kubernetes admission controller that has integration with the Sigstore tools to validate container images before allowing them to run on a cluster.

Zero trust supply chain security solution for container images
FROM registry.access.redhat.com/ubi8/ubi-minimal:8.3ARG JAVA_PACKAGE=java-11-openjdk-headlessARG RUN_JAVA_VERSION=1.3.8ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en'# Install java and the run-java script# Also set up permissions for user `1001`RUN microdnf install curl ca-certificates ${JAVA_PACKAGE} \&& microdnf update \&& microdnf clean all \&& mkdir /deployments \&& chown 1001 /deployments \&& chmod "g+rwX" /deployments \&& chown 1001:root /deployments \&& curl https://repo1.maven.org/maven2/io/fabric8/run-java-sh/${RUN_JAVA_VERSION}/run-java-sh-${RUN_JAVA_VERSION}-sh.sh -o /deployments/run-java.sh \&& chown 1001 /deployments/run-java.sh \&& chmod 540 /deployments/run-java.sh \&& echo "securerandom.source=file:/dev/urandom" >> /etc/alternatives/jre/conf/security/java.security
FROM docker.io/gkovan/quarkus-base-image:1.0LABEL base.image="docker.io/gkovan/quarkus-base-image:1.0"ENV JAVA_OPTIONS="-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager"COPY --chown=1001 target/quarkus-app/lib/ /deployments/lib/COPY --chown=1001 target/quarkus-app/*.jar /deployments/COPY --chown=1001 target/quarkus-app/app/ /deployments/app/COPY --chown=1001 target/quarkus-app/quarkus/ /deployments/quarkus/EXPOSE 8080USER 1001ENTRYPOINT [ "/deployments/run-java.sh" ]
apiVersion: kyverno.io/v1kind: ClusterPolicymetadata:name: check-imagespec:  validationFailureAction: enforce  background: false  rules:    - name: check-image      match:        resources:          kinds:            - Pod      verifyImages:      - image: "docker.io/gkovan/*"        key: |-        -----BEGIN PUBLIC KEY-----    MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEtwDUUcAVE4dJj623tCNy9WrYfgJngPqTAl4hkXdXMG1jk36OGxzwefjQO7XV37i0kJrWssfggVGxa0GoXryWVw==        -----END PUBLIC KEY-----

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Gerry Kovan

Gerry Kovan

IBMer, software engineer, Canadian living in New York, husband, father and many other things.