The origin of the container images plays a significant role in securely deploying any application onto Kubernetes. Most containers are short-lived and frequently redeployed, making it difficult to ensure security and determine whether your container image is built from up-to-date and trusted sources.
In the container world, images come from various project upstreams and are not always trustworthy. Several container images are readily available in public image repositories. These random images are sometimes pulled from unverified publishers across various upstreams, leading to security risks at the time of production and compromises on security.
In the pre container era (VM world), ops teams used to be responsible for performing security patching and providing regular updates with the upstream packages.
Whereas in the container world, containers are ephemeral. When deploying at a large scale, the container count is greater than the VM count, making it difficult to keep track of each container image deployed overall in an organization and ensuring security for these application container images.
Manual security patch checking becomes a tedious process for the ops team, especially when there is an increase in stack images. This rapid scaling up of images tend to put the deployed application to security scrutiny.
Also, manually monitoring the stack image usage between application teams is a daunting task. Getting granular details like the current patch version, checking for aged/deprecated images, and warning respective application teams to update their stack image is difficult as there is no centralized system to track these changes.
To get fast builds during Kubernetes application deployments, reducing image-based security threats is crucial. Building a centralized solution that consistently scans stack images for known vulnerabilities and automatically patches them for critical security vulnerabilities, then notifies the respective application team to take the new patch update can be the optimal approach.
With this centralized system, you can:
- Keep track of a particular stack image usage across various applications
- Monitor aged / deprecated images