Kubernetes and Cloud Native Security Associate (KCSA)

Overview of Cloud Native Security

Artifact Repository and Image Security

Containerization Benefits

Team A selected containerization for their CRM application to achieve:

  • Portability
  • Scalability
  • Consistency
  • Isolation
  • Enhanced security

The image illustrates a "Team A Scenario" focusing on containerization, highlighting key benefits such as portability, scalability, consistency, isolation, and security.

Risk of Untrusted Base Images

In the rush to deploy, Team A used a latest-tagged base image from Docker Hub without verifying its origin or maintenance status. While the container spun up successfully, the CRM soon experienced performance degradation and instability.

The image illustrates a concept of software vulnerabilities, showing a document with a bug icon under a magnifying glass, labeled "Known Vulnerabilities," and mentions that Team A assumes it is secure with the latest tag, but it is not updated.

A deep dive revealed multiple unpatched CVEs in the latest image, which attackers exploited to compromise data integrity and leak customer information.

The image illustrates vulnerabilities in software, highlighting a magnifying glass over a Docker logo with a bug icon, and mentions "Latest" and "Not Always Updated or Secure."

Warning

Relying on the latest tag does not ensure up-to-date security patches. Image maintainers can assign it arbitrarily, leaving you exposed to risks.

Integrating Vulnerability Scanning

To prevent future incidents, Team A added automated scanning tools into their CI/CD pipeline:

# Scan with Trivy
trivy image --severity HIGH,CRITICAL team-a/crm:stable

# Scan with Clair via clair-scanner
clair-scanner --ip $(hostname -I | awk '{print $1}') team-a/crm:stable

The image shows logos for two vulnerability scanning tools, Trivy and Clair, with their names displayed below each logo.

ScannerDescriptionCommand Example
TrivyLightweight, fast vulnerability scannertrivy image <image>
ClairStatic analysis of vulnerabilities in imagesclair-scanner --ip <host-ip> <image>

Adopting Minimal Official Base Images

After remediating all discovered flaws, Team A switched to an officially maintained minimal image (Ubuntu or Alpine). This approach reduces the attack surface and ensures timely security updates.

The image shows logos of Ubuntu and Alpine Linux with the label "Official, minimal base image" above them, under the title "Minimal Base Image."

Understanding Build Artifacts

Any output from your build process—compiled binaries, JAR/WAR files, logs, reports, and especially container images—counts as a build artifact.

The image is a diagram titled "Build Artifact" showing six components: code, package, WAR file, logs, report, and container image, each represented by an icon.

Securely managing container images requires a centralized artifact repository, which supports your CI/CD workflow and ensures consistent distribution.

Storing Container Images

While Docker Hub is popular for hosting images, it has limited access controls and no built-in vulnerability scanning.

The image shows logos for Docker Hub and JFrog under the title "Storing Container Images."

RepositoryAccess ControlScanningImage Signing
Docker HubBasicNoNo
Nexus RepositoryFine-grainedVia add-onLimited
GitHub PackagesFine-grainedYesYes
JFrog ArtifactoryFine-grainedYesYes

Advanced Artifact Repositories

For stricter compliance, consider:

  • Nexus Repository (https://www.sonatype.com/nexus-repository-oss)
  • GitHub Packages (https://github.com/features/packages)
  • JFrog Artifactory (https://jfrog.com/artifactory/)

The image shows logos of popular artifact repositories: Nexus Repository, GitHub Packages, and JFrog Artifactory.

JFrog Artifactory Security

JFrog Artifactory continuously scans stored images, integrates with vulnerability tools, and can enforce digital signatures to guarantee image authenticity.

The image features the JFrog Artifactory logo with a description stating it continuously checks stored images for security weaknesses by integrating with security scanning tools.

Note

Digital signatures on images detect unauthorized modifications and improve supply chain security.

The image illustrates the concept of enhancing image security with digital signatures, focusing on ensuring image authenticity. It features icons of digital signatures and user symbols.

Next Steps

  1. Integrate automated scans in your CI/CD pipeline.
  2. Standardize on minimal, official base images.
  3. Use a robust artifact repository with access controls and signing.
  4. Continuously monitor and update images to address new vulnerabilities.

Watch Video

Watch video content

Previous
Kubernetes Isolation Techniques