Ensuring the security of your container environment requires multiple steps. One of those that organizations sometimes overlook is defending your container images. If you don’t take this into consideration, you could leave yourself open to attack.
This blog post will provide a primer on what container images are and how they function in your container environment. It will then explain how attackers can potentially misuse your containers to steal your sensitive information. Finally, it’ll conclude by explaining how you can use Kubernetes to safeguard your container images.
What is a container image?
As defined by TechTarget, a container image is a static file that contains executable code including system libraries, tools and other resources that a program needs to run in a containerized environment. This property allows the container image to run as an isolated process on IT infrastructure. Not only that, but the container image is also compiled from the file system layers of a base image, thus freeing you from needing to create something from scratch.
Container images are beneficial in that they download quickly and start instantly. As such, these assets consumer fewer computing resources than virtual machines (VMs). Container images are also interoperable insofar as they use open standards and operate across different infrastructure.
What security risks are involved with containers?
Unfortunately, container images aren’t without security risks. Container images may sometimes suffer from vulnerabilities. IBM provided the example of how a malicious actor could exploit CVE-2019-5021, a Docker image vulnerability, to obtain super-user privileges within a container. Alternatively, they could abuse a vulnerability in sqlite3 3.26.0 to send a malicious SQL command via remote code execution. These and other types of security flaws could enable a malicious actor to gain unrestricted access to a container image, move laterally throughout the container environment and/or compromise sensitive data.
The security concerns associated with container images don’t end there, either. Tech Target noted that malicious actors can create lookalike images public containers to prey upon your organization. In this type of attack, a user pulls a container image that secretly contains malicious code from a registry. The trick is that the container image is actually a lookalike of another program, meaning that the user will be inclined to think it’s legitimate so that they’ll run it on their environment. Using its malicious code, however, the lookalike image is capable of granting attackers access to the infected environment so that they can search for sensitive information.
A similar problem arises when the user wants to pull a container image from an unknown source. As Kubernetes notes on its website, that’s the equivalent of running software from an unknown vendor on one of your production servers. It’s a risky move, as you have no idea what that container image might do. In the worst case, it could adversely affect the organization’s operations or empower malicious actors to access the network.
How Kubernetes can help securely use container images
In a blog post, StackRox notes that organizations should embrace a strong governance policy when it comes to using container images. This policy should consist of several elements:
Avoid Pulling Containers from Unknown Sources
Given the threats associated with container images from unknown sources, you should consider setting up a security policy that allows you to pull images from authorized repositories only. Sqreen goes on to point out that such a policy should also prohibit you from using images that you haven’t analyzed previously.
Scan Your Images for Vulnerabilities
As container images oftentimes suffer from vulnerabilities, it’s important that you be proactive about tracking these security flaws. One of the ways you can do this is by using a vulnerability scanner that analyzes images that you’ve submitted to a registry. There are tools that notify you if your container image suffers from a vulnerable package, explain to you how a malicious actor could potentially exploit it and guide you through the task of solving those security issues.
Build a Security Pipeline for Your Container Images
Vulnerability scanning and caution around unknown sources should both factor as components in a larger container image security strategy. Kubernetes’ developers recommend that you use this type of plan to store approved images within only private registries so as to limit the number of potential images that could enter your pipeline from publicly available sources. You should also use it to vet the code that’s used to build the images and to scan for vulnerabilities. If there is an issue, the security assessment should trigger an alert that flags the image for review.
Configure Image Signing and Enforcement
Last but not least, it’s a good idea to consider maintaining a system of trust with your containers. You can use a system like Docker Content Trust to make sure there’s a tool in place for signing your container images. You should then consider using a tool to determine that container images are signed before they receive authorization to enter the cluster.