Add info
Some checks failed
Gitea Actions Demo Training / Explore-Gitea-Actions (push) Failing after 0s
Some checks failed
Gitea Actions Demo Training / Explore-Gitea-Actions (push) Failing after 0s
This commit is contained in:
@@ -9,3 +9,6 @@
|
||||
- 👷🏼♂️ Devops/Gitops/Cloud/Container/Cluster/Linux engineer (Pick one)
|
||||
|
||||
- 🎯 Passion: Secure K8S clusters (air-gapped) running secure containers
|
||||
|
||||
|
||||
Disclaimer: The tools and applications shown in this presentation often have many alternatives that are equally good. The same applies to the opinion of the presenter.
|
||||
|
||||
@@ -13,11 +13,9 @@ Read them and store them.... (Create them if you have to)
|
||||
|
||||
---
|
||||
|
||||
## SBOMs help, they do
|
||||
## Know what you deploy
|
||||
|
||||
Imagine that you download and run a Python application in your cluster do you know which software components are present in the image? And which CVE's are present?
|
||||
|
||||
It does make a difference how the image was build. Which one do you prefer and why given the following `Dockerfile``:
|
||||
Imagine that you download and run a Python application in your cluster. Which one do you prefer and why given the following `Dockerfile``:
|
||||
|
||||
```bash
|
||||
FROM python:latest
|
||||
@@ -35,8 +33,85 @@ COPY worker.py /
|
||||
CMD ["python", "worker.py"]
|
||||
```
|
||||
|
||||
And why?
|
||||
|
||||
---
|
||||
|
||||
## The only difference is the base image
|
||||
|
||||
- But the end result is quite different:
|
||||
|
||||
| Base image | Image size | CVE's |
|
||||
|---|---|---|
|
||||
| python:latest | 888 Mb | 1114 |
|
||||
| python:alpine | 73,5 Mb | 3 |
|
||||
|
||||
(Scanning was done with `grype` and since the writing of this presentation the numbers have increased)
|
||||
|
||||
How often do you want to scan your images?
|
||||
|
||||
---
|
||||
<!--
|
||||
## The 'full' python image has even `gcc` included....
|
||||
|
||||
```bash
|
||||
docker run --rm --entrypoint gcc -it python-latest:latest
|
||||
gcc: fatal error: no input files
|
||||
compilation terminated.
|
||||
```
|
||||
|
||||
```bash
|
||||
docker run --rm --entrypoint gcc python-alpine:latest
|
||||
docker: Error response from daemon: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: exec: "gcc": executable file not found in $PATH: unknown.
|
||||
```
|
||||
|
||||
---
|
||||
--->
|
||||
## Providing information about software components
|
||||
|
||||
More and more organisations want to know which software components they are about to deploy in a well know format. Executive Order 14028 on Improving the Nation's Cybersecurity does the same.
|
||||
|
||||
This format is known as `SBOM` with already several versions.
|
||||
|
||||
Most often this is a JSON formatted file, a snippet looks like:
|
||||
|
||||
```json
|
||||
"artifacts": [
|
||||
{
|
||||
"id": "60671fb38be80921",
|
||||
"name": "Simple Launcher Executable",
|
||||
"version": "1.1.0.14",
|
||||
"type": "dotnet",
|
||||
"foundBy": "dotnet-portable-executable-cataloger",
|
||||
"locations": [
|
||||
{
|
||||
"path": "/usr/local/lib/python3.11/site-packages/pip/_vendor/distlib/t32.exe",
|
||||
"layerID": "sha256:cd9f081b2669b644feeada02c0071c964673c221b6e44a42c44581d28ca18e2a"
|
||||
}
|
||||
],
|
||||
"licenses": [],
|
||||
"language": "",
|
||||
"cpes": [
|
||||
"cpe:2.3:a:Simple_Launcher_Executable:Simple_Launcher_Executable:1.1.0.14:*:*:*:*:*:*:*"
|
||||
],
|
||||
"purl": "pkg:nuget/Simple%20Launcher%20Executable@1.1.0.14",
|
||||
"metadataType": "DotnetPortableExecutableMetadata",
|
||||
"metadata": {
|
||||
"assemblyVersion": "",
|
||||
"legalCopyright": "Copyright (C) Simple Launcher User",
|
||||
"internalName": "t32.exe",
|
||||
"companyName": "Simple Launcher User",
|
||||
"productName": "Simple Launcher",
|
||||
"productVersion": "1.1.0.14"
|
||||
}
|
||||
},
|
||||
```
|
||||
|
||||
|
||||
## Foreknowledge of CVE's
|
||||
|
||||
Knowing upfront which CVE's will be deployed
|
||||
|
||||
## Deployment prevention
|
||||
|
||||
Inspecting SBOM's is best done before deploying containers and friends. Prevention is always best.
|
||||
|
||||
Reference in New Issue
Block a user