Securing container content

To ensure the security of the content inside your containers you need to start with trusted base images, such as Red Hat Universal Base Images, and add trusted software. To check the ongoing security of your container images, there are both Red Hat and third-party tools for scanning images.

Securing inside the container

Applications and infrastructures are composed of readily available components, many of which are open source packages such as, the Linux operating system, JBoss Web Server, PostgreSQL, and Node.js.

Containerized versions of these packages are also available. However, you need to know where the packages originally came from, what versions are used, who built them, and whether there is any malicious code inside them.

Some questions to answer include:

  • Will what is inside the containers compromise your infrastructure?

  • Are there known vulnerabilities in the application layer?

  • Are the runtime and operating system layers current?

By building your containers from Red Hat Universal Base Images (UBI) you are assured of a foundation for your container images that consists of the same RPM-packaged software that is included in Red Hat Enterprise Linux. No subscriptions are required to either use or redistribute UBI images.

To assure ongoing security of the containers themselves, security scanning features, used directly from Fedora or added to OKD, can alert you when an image you are using has vulnerabilities. OpenSCAP image scanning is available in Fedora and the Red Hat Quay Container Security Operator can be added to check container images used in OKD.

Creating redistributable images with UBI

To create containerized applications, you typically start with a trusted base image that offers the components that are usually provided by the operating system. These include the libraries, utilities, and other features the application expects to see in the operating system’s file system.

Red Hat Universal Base Images (UBI) were created to encourage anyone building their own containers to start with one that is made entirely from Red Hat Enterprise Linux rpm packages and other content. These UBI images are updated regularly to keep up with security patches and free to use and redistribute with container images built to include your own software.

Search the Red Hat Ecosystem Catalog to both find and check the health of different UBI images. As someone creating secure container images, you might be interested in these two general types of UBI images:

  • UBI: There are standard UBI images for RHEL 7 and 8 (ubi7/ubi and ubi8/ubi), as well as minimal images based on those systems (ubi7/ubi-minimal and ubi8/ubi-mimimal). All of these images are preconfigured to point to free repositories of Fedora software that you can add to the container images you build, using standard yum and dnf commands. Red Hat encourages people to use these images on other distributions, such as Fedora and Ubuntu.

  • Red Hat Software Collections: Search the Red Hat Ecosystem Catalog for rhscl/ to find images created to use as base images for specific types of applications. For example, there are Apache httpd (rhscl/httpd-*), Python (rhscl/python-*), Ruby (rhscl/ruby-*), Node.js (rhscl/nodejs-*) and Perl (rhscl/perl-*) rhscl images.

Keep in mind that while UBI images are freely available and redistributable, Red Hat support for these images is only available through Red Hat product subscriptions.

See Using Red Hat Universal Base Images in the Red Hat Enterprise Linux documentation for information on how to use and build on standard, minimal and init UBI images.

Security scanning in Fedora

For Fedora systems, OpenSCAP scanning is available from the openscap-utils package. In Fedora, you can use the openscap-podman command to scan images for vulnerabilities. See Scanning containers and container images for vulnerabilities in the Red Hat Enterprise Linux documentation.

OKD enables you to leverage Fedora scanners with your CI/CD process. For example, you can integrate static code analysis tools that test for security flaws in your source code and software composition analysis tools that identify open source libraries to provide metadata on those libraries such as known vulnerabilities.

Scanning OpenShift images

For the container images that are running in OKD and are pulled from Red Hat Quay registries, you can use an Operator to list the vulnerabilities of those images. The Red Hat Quay Container Security Operator can be added to OKD to provide vulnerability reporting for images added to selected namespaces.

Container image scanning for Red Hat Quay is performed by the Clair security scanner. In Red Hat Quay, Clair can search for and report vulnerabilities in images built from Fedora, CentOS, Oracle, Alpine, Debian, and Ubuntu operating system software.

Integrating external scanning

OKD makes use of object annotations to extend functionality. External tools, such as vulnerability scanners, can annotate image objects with metadata to summarize results and control pod execution. This section describes the recognized format of this annotation so it can be reliably used in consoles to display useful data to users.

Image metadata

There are different types of image quality data, including package vulnerabilities and open source software (OSS) license compliance. Additionally, there may be more than one provider of this metadata. To that end, the following annotation format has been reserved:

  1. quality.images.openshift.io/<qualityType>.<providerId>: {}
Table 1. Annotation key format
ComponentDescriptionAcceptable values

qualityType

Metadata type

vulnerability
license
operations
policy

providerId

Provider ID string

openscap
redhatcatalog
redhatinsights
blackduck
jfrog

Example annotation keys

  1. quality.images.openshift.io/vulnerability.blackduck: {}
  2. quality.images.openshift.io/vulnerability.jfrog: {}
  3. quality.images.openshift.io/license.blackduck: {}
  4. quality.images.openshift.io/vulnerability.openscap: {}

The value of the image quality annotation is structured data that must adhere to the following format:

Table 2. Annotation value format
FieldRequired?DescriptionType

name

Yes

Provider display name

String

timestamp

Yes

Scan timestamp

String

description

No

Short description

String

reference

Yes

URL of information source or more details. Required so user may validate the data.

String

scannerVersion

No

Scanner version

String

compliant

No

Compliance pass or fail

Boolean

summary

No

Summary of issues found

List (see table below)

The summary field must adhere to the following format:

Table 3. Summary field value format
FieldDescriptionType

label

Display label for component (for example, “critical,” “important,” “moderate,” “low,” or “health”)

String

data

Data for this component (for example, count of vulnerabilities found or score)

String

severityIndex

Component index allowing for ordering and assigning graphical representation. The value is range 0..3 where 0 = low.

Integer

reference

URL of information source or more details. Optional.

String

Example annotation values

This example shows an OpenSCAP annotation for an image with vulnerability summary data and a compliance boolean:

OpenSCAP annotation

  1. {
  2. "name": "OpenSCAP",
  3. "description": "OpenSCAP vulnerability score",
  4. "timestamp": "2016-09-08T05:04:46Z",
  5. "reference": "https://www.open-scap.org/930492",
  6. "compliant": true,
  7. "scannerVersion": "1.2",
  8. "summary": [
  9. { "label": "critical", "data": "4", "severityIndex": 3, "reference": null },
  10. { "label": "important", "data": "12", "severityIndex": 2, "reference": null },
  11. { "label": "moderate", "data": "8", "severityIndex": 1, "reference": null },
  12. { "label": "low", "data": "26", "severityIndex": 0, "reference": null }
  13. ]
  14. }

This example shows the Container images section of the Red Hat Ecosystem Catalog annotation for an image with health index data with an external URL for additional details:

Red Hat Ecosystem Catalog annotation

  1. {
  2. "name": "Red Hat Ecosystem Catalog",
  3. "description": "Container health index",
  4. "timestamp": "2016-09-08T05:04:46Z",
  5. "reference": "https://access.redhat.com/errata/RHBA-2016:1566",
  6. "compliant": null,
  7. "scannerVersion": "1.2",
  8. "summary": [
  9. { "label": "Health index", "data": "B", "severityIndex": 1, "reference": null }
  10. ]
  11. }

Annotating image objects

While image stream objects are what an end user of OKD operates against, image objects are annotated with security metadata. Image objects are cluster-scoped, pointing to a single image that may be referenced by many image streams and tags.

Example annotate CLI command

Replace <image> with an image digest, for example sha256:401e359e0f45bfdcf004e258b72e253fd07fba8cc5c6f2ed4f4608fb119ecc2:

  1. $ oc annotate image <image> \
  2. quality.images.openshift.io/vulnerability.redhatcatalog='{ \
  3. "name": "Red Hat Ecosystem Catalog", \
  4. "description": "Container health index", \
  5. "timestamp": "2020-06-01T05:04:46Z", \
  6. "compliant": null, \
  7. "scannerVersion": "1.2", \
  8. "reference": "https://access.redhat.com/errata/RHBA-2020:2347", \
  9. "summary": "[ \
  10. { "label": "Health index", "data": "B", "severityIndex": 1, "reference": null } ]" }'

Controlling pod execution

Use the images.openshift.io/deny-execution image policy to programmatically control if an image can be run.

Example annotation

  1. annotations:
  2. images.openshift.io/deny-execution: true

Integration reference

In most cases, external tools such as vulnerability scanners develop a script or plugin that watches for image updates, performs scanning, and annotates the associated image object with the results. Typically this automation calls the OKD 4.12 REST APIs to write the annotation. See OKD REST APIs for general information on the REST APIs.

Example REST API call

The following example call using curl overrides the value of the annotation. Be sure to replace the values for <token>, <openshift_server>, <image_id>, and <image_annotation>.

Patch API call

  1. $ curl -X PATCH \
  2. -H "Authorization: Bearer <token>" \
  3. -H "Content-Type: application/merge-patch+json" \
  4. https://<openshift_server>:6443/apis/image.openshift.io/v1/images/<image_id> \
  5. --data '{ <image_annotation> }'

The following is an example of PATCH payload data:

Patch call data

  1. {
  2. "metadata": {
  3. "annotations": {
  4. "quality.images.openshift.io/vulnerability.redhatcatalog":
  5. "{ 'name': 'Red Hat Ecosystem Catalog', 'description': 'Container health index', 'timestamp': '2020-06-01T05:04:46Z', 'compliant': null, 'reference': 'https://access.redhat.com/errata/RHBA-2020:2347', 'summary': [{'label': 'Health index', 'data': '4', 'severityIndex': 1, 'reference': null}] }"
  6. }
  7. }
  8. }

Due to the complexity of this API call and challenges with escaping characters, an API developer tool such as Postman may assist in creating API calls.

Additional resources