Container Security

How to Automatically Scan Images Using OpenShift Image Streams

By Selvam Thangaraj

The powerful capabilities enabled by OpenShift Image Streams is a welcome addition to the Red Hat OpenShift container platform. As more enterprises begin moving container workloads into production, the requirement to automate both the application management as well as the security tasks in their CI/CD pipeline becomes more critical. OpenShift Image Streams enables efficient image updates, isolation, and vulnerability management. This adds to the many built-in security features already in the OpenShift platform, such as secrets management, RBACs, admission control and content trust. NeuVector continues to leverage, integrate with, and extend OpenShift security for applications that require ‘defense in depth.’

How Do OpenShift Image Streams Work?

An image stream is a docker repository with many more benefits than a simple docker registry. It is a namespace aware repository that provides isolation for the use of images between projects. A user belonging to a project will not be able to access other project images. This naturally prevents problems of the wrong images being used by different projects.

It is a central place to maintain images from multiple projects and supports referencing an external registry. Images from the external registry should be imported manually initially and then can be configured to import automatically on a schedule if there is update to any image. The trigger feature in OpenShift Image Streams can send an update to other objects such as deployments to take action as soon an update is detected on image stream. CI/CD teams can take advantage of this feature to automate their build process and the deployment and updates of images.

An image stream can hold multiple tags to maintain different versions of the image, and you can tag a particular image stream tag as latest, stable, beta and so on to refer to them in other objects. Multiple images can be stacked to an image stream tag. Rolling back to a previous version is easy because all images are stored as different generations in the image stream.

Vulnerability Management for OpenShift Image Streams Using NeuVector

The NeuVector Container Security Platform provides vulnerability management which leverages OpenShift Image Streams features to provide automated vulnerability management for images deployed in the OpenShift container platform. Vulnerability scanning on images is performed by NeuVector on a trigger basis, whenever images are updated. Vulnerability scanning is also triggered as soon as new images are pushed to the image registry. This enables DevOps teams to have confidence in the security and compliance of images meant for container deployment in a production environment.

Auto Scanning Using OpenShift Image Streams

Image stream tags are automatically scanned using the image update trigger feature of OpenShift image streams whenever there is new image stream or a new image tag is added or deleted. This is applicable to an external registry also because the image stream feature supports the scheduled importing of images from an external registry.

The underlying security features of the OpenShift container platform are also extended to the NeuVector vulnerability management features by providing RBAC security to namespace users in the OpenShift Container Platform.

Integrated, Automated RBAC Security

The NeuVector container security platform is tightly integrated with the OpenShift container platform to provide same level of security for container registry scanning. The OpenShift container platform limits user access to the projects based on the project and role that users belong to. The same level access control is provided automatically to users for accessing the container image vulnerability scan results from NeuVector. For example, user1, who has only access to project1, can only view image scan results from project1. A namespace user is able to view only the scan results of images belonging to their namespace (project).

Automated Vulnerability Alerts Via Webhooks

Users can configure a response rule in NeuVector to send a webhook when scanning of an image is completed. The response rule can be configured with a matching criterion such as the vulnerability name or a certain number of vulnerabilities found in the image. For example, configure a response rule to send a webhook when a CVE-2018-1000 vulnerability is found in the container image or send webhook when the number of high (critical) vulnerabilities found is 5 or more. Webhooks can be sent for every scan by simply adding as the criteria a registry scan report event.

OpenShift Security with NeuVector for Defense in Depth

The Red Hat OpenShift container platform provides many of the core features for automating and securing the CI/CD pipeline. Combined with the NeuVector container security platform, enterprises requiring defense in depth with complementary vulnerability management as well as strong run-time security can make sure that they are protected against zero-day attacks and exploits of unknown vulnerabilities. The unique network visibility and protection provided by the NeuVector Layer7 container firewall ensures that enterprises can detect the most damaging security events in the ‘kill chain’ of an attack.

About the Author

Selvam Thangaraj

Selvam is a Staff Engineer at NeuVector.