If you’ve been investigating Kubernetes – or any container management system – you might have come across references to an image registry. In this article, we’re going to talk about what an image registry is, and why it’s an essential component of your Kubernetes implementation. We’re also going to discuss registry scanners, and why they’re a vital component of your security strategy. Finally, we’ll compare a few of the most popular registry and registry scanners, so you can get started on implementing a safe and secure Kubernetes environment.
What is an Image Registry / Container Registry?
Kubernetes is an orchestration management system that allows you to deploy and manage containers. A Kubernetes Pod holds related containers to support an application. When you create a new container within a Pod, you need to provide an image for the container to use.
A container image is a self-contained piece of code that has everything it needs to run – including libraries, dependencies, tooling and configuration.
The Container Registry is where images are stored and can be retrieved to build containers. The image registry can be either a public or a private repository.
Public Container Registry
Currently, Docker Hub is the default and most widely used public container registry. Users can access many official images and can upload their images to use and to share with other developers. Using a public registry is not always a viable option for some organizations. It is a best practice to store proprietary images and sensitive configurations in a private image registry.
Using a Private Registry
Private registries provide a repository for both customized and commonly used images for an organization. The organization controls both access and the contents of the registry, protecting intellectual property, and preventing malicious injection of malware into the images the organization uses.
By using a private repository, you reduce the chance of exposing proprietary information or being attacked through a malicious change to an image. Container images also run the risk of having outdated dependencies and inadvertent vulnerabilities. Performing regular scans of your registry with a scanning tool can alert you if dependencies change, or if an image update introduces any vulnerabilities.
Comparing Popular Private Registry Options
As containers continue to grow in popularity, so do the numbers and quality of the tools that support their proliferation. The most popular options for private registries are also those with the most extended pedigree. Let’s review and compare four of the most popular options: Docker Hub private repositories, Google Cloud Registry, Amazon Elastic Container Registry and Jfrog Artifactory and Container Registry.
Docker Hub Private Repositories
As the default registry for Docker, most developers are already familiar with Docker Hub, and their private registry offering makes it easy to use Docker Hub for both private and public registries. Docker Hub is also relatively inexpensive, although supplemental services like scanning are available for an additional fee. An intuitive interface makes it easy to create an organization, groups, and users and control permissions to restrict and allow access.
Docker also offers the Docker Trusted Registry (DTR), which is an enterprise-grade registry that can be installed behind your corporate firewall or on a virtual private cloud (VPC). DTR includes an image scanning utility that can be added to the registry for a fee.
Google Cloud Registry (GCR)
As the originators of Kubernetes, you would expect Google to be a significant provider of related services, including an intuitive and inexpensive registry option. Google Cloud Container Registry is an affordable option, charging users only for storage and bandwidth costs.
GCR is also configured to allow access within your Google Cloud account, and with external resources as well. This flexibility makes it an excellent choice as a private registry provider, whether your containers are deployed on the Google Cloud, or elsewhere.
Amazon Elastic Container Registry (ECR)
If your organization is already using AWS, Elastic Container Registry (ECR) uses a familiar interface and is simple to integrate into your existing Cloud infrastructure. The cost is relatively inexpensive and is limited to image storage fees and data transfer. Using ECR to support a Kubernetes cluster outside of AWS has the potential of being both more expensive and complicated.
Using AWS’s highly configurable IAM offering affords a very secure access control model, which is scalable; and roles for human and non-human entities make management relatively simple. As with many of the AWS services, many of the details are abstracted from the AWS interface, which simplifies interactions, but can be problematic if you require insights into the inner workings of the registry.
Jfrog Artifactory and Container Registry
Jfrog’s Artifactory is a universal binaries manager. JFrog Container Registry supports both Docker and Helm images, to enable you to build, store, and manage container images for all types of deployments. It is available as a self-hosted, dedicated solution, or as a SaaS service – enabling organizations to create local, remote and virtual image repositories.
The Importance of Container Image Scanning
One of the unique and advantageous characteristics of containers is how layers are used to build a container image. A service that you build might be in a layer added to a JVM layer, application server layer, and a Linux layer. When one of those layers is updated, you can rebuild your container and create a new and updated version with relative ease.
Unfortunately, the layered architecture also means it is easy to accidentally introduce vulnerabilities within one or more of the layers that comprise your container. A registry scanner can scan new images and periodically scan existing images to identify potential vulnerabilities and assist you in maintaining a secure and high-quality collection of images.
Selecting the Right Image Scanning Tool
At the heart of any image scanning tool is static analysis against a “Common Vulnerabilities and Exposures” (CVE) database. Each layer within the container image is analyzed and queried to discover known vulnerabilities. One such CVE database, which is used by several providers, is the Clair Project.
In addition to vulnerability scanning, a comprehensive tool should compare the architecture of your application against best practices to identify potential vulnerabilities. Compliance scans examine your application to ensure that best practices are employed when managing secrets, ingress and egress points, and system configurations.
Image Scanning Options
All of the registries we compared above offer CVE analysis as part of their offering, or as an add-on feature. CVE analysis is an essential aspect of your container security strategy; however, it should not be relied upon solely to secure your image registry. Let’s look at and compare a few of the leading image security providers.
Recently acquired by Palo Alto Networks, Twistlock is one of the most comprehensive container security solutions available. Developed for the Cloud and explicitly focused on container security, Twistlock integrates seamlessly with Docker Hub, GCR, and ECR. Executing CVE based scans, as well as Security compliance and run-time defense, Twistlock provides comprehensive reports about all vulnerabilities within your Kubernetes ecosystem.
Offering a scanning solution that can span multiple platforms, Aqua’s Cyber Intelligence employs multiple vulnerabilities, malware detection, and threat mitigation services to ensure your container ecosystem is secure. While Twistlock focuses specifically on Container Security, Aqua offers additional security products outside of the container space.
Finally, Sysdig Secure offers similar capabilities to both Aqua Security and Twistlock, including CVE, compliance, and run-time defense. An additional feature, which is offered by SysDig and by both Twistlock and Aqua Security, is the ability to perform post-mortem forensics on the environment.
System forensics allows you to see the before-and-after state of a system. This understanding enables both fully understanding the circumstances that led to the problem, and it’s rapid resolution.
You would be ill-advised to pursue a container-based strategy without integrating a comprehensive and well-supported image scanning solution into your CI/CD processes. Outsourcing security to a solution that specializes in it and is continually improving its checks and processes is the best way to ensure the security of your environment.