[CKS] Supply Chain Security - Analyzing Dockerfile

Supply Chain Security (20%)

 - Minimize base image footprint
 - Secure your supply chain: whitelist allowed registries, sign and validate images
 - Use static analysis of user workloads (e.g.Kubernetes resources, Docker files)
 - Scan images for known vulnerabilities

---

Analyzing Dockerfile

 

• container가 root 권한으로 실행되게 하지 말것
• :latest Tag 지양 
• Dockerfile내부에 불필요한 software, tools 설치 금지
• 민감한 데이터는 Secret을 통해 관리 (API Key, PW ...)
• Sample Dockerfile

FROM nginx:1.19.10

USER root

RUN apt-get update && apt-get install -y wget  # 삭제
RUN useradd -ms /bin/bash nginxuser
ENV db_password=Mellon   # 삭제

USER root    # 삭제 

ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

 

• 수정

FROM nginx:1.19.10

USER root  

RUN useradd -ms /bin/bash nginxuser

USER nginxuser

ENTRYPOINT ["/docker-entrypoint.sh"]
EXPOSE 80
CMD ["nginx", "-g", "daemon off;"]

 

 

Analyzing resource YAML Files

• Container를 host namespace에 생성하지 말기 : hostNetwork, hostIPC, hostPID 
• Container를 priviledged mode로 사용하지 않기
• :latest Tag 지양하기
• container를 root 권한으로 실행하지 않기 
• Sample YAML file

apiVersion: apps/v1
kind: Deployment
metadata:
  name: static-analysis-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: static-analysis-deployment
  template:
    metadata:
      labels:
        app: static-analysis-deployment
    spec:
      hostIPC: true             # false
      hostNetwork: true         # false
      hostPID: true             # false
      containers:
      - name: nginx
        image: nginx:latest      # 버전명시
        ports:
        - containerPort: 80
        securityContext:
          privileged: true        # false