Category: Kubernetes Security

bookmark_borderSecuring images in Kubernetes

Posted on by Jay Jo

You can deploy a number of different kinds of pods hosting different kinds of applications like Apps, Databases, and Redis cache, etc. 

apiVersion: v1
kind: Pod
metadata:
  name: sample-pod
  labels:
    type: nginx-server

spec:
  containers:
    - name: nginx-container
      image: nginx

image: nginx is actually docker.io/nginx/nginx

image: docker.io(Registry) / nginx (User/Account) / nginx (image/Repository)

if you created an account on Docker Hub yourself then the user account that you would get is the first part. If you do not provide an account name it assumes it to be the same as the repository name which in this case is nginx. If you were to create your own account and create your own repositories or images under it then you would use a similar pattern now where are these images stored and pulled. If you do not have specified the location where these images are to be pulled from. It is assumed to be on docker’s default registry (DockerHub).

For private repository

When you have applications built in-house that should’t be made available to the public, hosting an internal private registry may be a good solution.

AWS, Azure, or GCP provide a private Registry for your cloud account by default.

If you choose to make a private repository, you need to access using a set of credentials from a Docker perspective to run a container using a private image, you first login to your private-registry

$ docker login private-registry.io
Username:
Password: 
$ docker run private-registry.io/apps/my-app

and run the application using the image from the private registry

apiVersion: v1
kind: Pod
metadata:
  name: sample-pod
  labels:
    type: nginx-server

spec:
  containers:
    - name: nginx-container
      image: private-registry.io/apps/my-app

How do we implement the authentication login?

  • How does Kubernetes get the credentials to access the private registry?
  • In Kubernetes, The image are pulled and run by the docker runtime on the worker node.

We need a secret object with the credentials in it.

$ kubectl create secret docker-registry docker-credential --docker-server=private-registry.io --docker-username=user --docker-password=password --docker-email=email
secret/docker-credential created

The secret is type docke-registry and named it docker-credential. Docker registry is a built in secret type that was built for storing Docker credentials

And specified the credential in pod-definition file.

apiVersion: v1
kind: Pod
metadata:
  name: sample-pod
  labels:
    type: nginx-server

spec:
  containers:
    - name: nginx-container
      image: private-registry.io/apps/my-app
  imagePullSecrets:
    - name: docker-credential

https://jamesdefabia.github.io/docs/user-guide/kubectl/kubectl_create_secret_docker-registry/

ANOTE.DEV