# Collabothon 2023 # Container Image Hardening ## Squad: `Cybertron` ## Why cryptographic signing? * Compromised site where packages are hosted * Tampering after being published * Preventing Man-in-the-middle attacks * Typosquatting packages with similar names  ## Workflow 1. Developers create a Container Image 2. Upload the image to a Container Image registry (Private/Public) 3. Developers sing the Image 4. Run the signed Image on Kubernetes Cluster (GKE/RedHat OpenShift/K8S) ## GKE Cluster design  ---  Signed image  ## Demo Time ### Running an Unsigned container Image in an Armored GKE namespace ```yaml! apiVersion: apps/v1 kind: Deployment metadata: name: cybertron-app namespace: cybertron-armored spec: replicas: 1 selector: matchLabels: app: cybertron-app template: metadata: labels: app: cybertron-app spec: containers: - name: cybertron-app image: docker.io/fbozakov/cybertron-collabothon-unsigned:latest imagePullPolicy: Always ports: - containerPort: 80 ``` ```bash! kubectl apply -f deployment-unarmored-image-in-armored-ns.yaml ``` ### Deploy Hello World App in an Armored GKE namespace ```yaml! apiVersion: apps/v1 kind: Deployment metadata: name: hello-world namespace: cybertron-armored spec: replicas: 1 selector: matchLabels: app: hello-world template: metadata: labels: app: hello-world spec: containers: - name: hello-world image: docker.io/kirchev/hello-world:v1 imagePullPolicy: Always ports: - containerPort: 80 ``` ```bash! kubectl apply -f deployment-armored-hello-world-app.yaml ``` ### Running a signed Image in an Unarmored GKE namespace ```yaml! apiVersion: apps/v1 kind: Deployment metadata: name: cybertron-app namespace: cybertron-unarmored spec: replicas: 1 selector: matchLabels: app: cybertron-app template: metadata: labels: app: cybertron-app spec: containers: - name: cybertron-app image: docker.io/fbozakov/cybertron-collabothon-signed:latest imagePullPolicy: Always ports: - containerPort: 80 ``` ```bash! kubectl apply -f deployment-armored-image-in-unarmored-ns.yaml ``` # Sources ## Sorce code https://github.com/darthks/collabothon-2023-cybertron ## Docker registires https://hub.docker.com/u/fbozakov https://hub.docker.com/r/kirchev/hello-world