Overview of the Deploy stage
The Deploy stage is the fourth stage of the Containers Secure Supply Chain (CSSC) framework. Enterprises might deploy container images to their hosting environment to run containerized workloads without validating the security and compliance of those container images. This increases the potential security risks or may result in running vulnerable or malicious code in the hosting environment. The container image metadata and attestations produced in previous stages should be validated at deployment time. This ensures that the deployment complies with enterprise-wide security and compliance policies.
Microsoft’s Containers Secure Supply Chain (CSSC) framework identifies the need for deployment of images in a compliant manner. The CSSC framework recommends a set of standard practices and tools to help you securely deploy images by validating the image metadata and implementing compliance policy. In this article, you’ll learn about the objectives, standard practices, and tools that you can use in the Deploy stage of the CSSC framework.
Background
Enterprises may deploy container images directly from external or internal registries without verifying that the container images are free from vulnerabilities and are approved for use. Deploying untrusted and non-compliant container images to the hosting environment increases the potential security risks or executing malware or vulnerable code in the hosting environment.
The CSSC framework practices helps to ensure that deployment-ready container images are from trusted registries, free of vulnerabilities and malware, and assure authenticity and integrity. Many enterprises are implementing policies to verify the SBOM and signatures of the container images before deploying them to Kubernetes, and continuously scanning container images to validate scanning reports.
In the Deploy stage, we focus on securing container image and deployment environment. Deployments use container image signature, lifecycle metadata, vulnerability and malware reports, SBOM, and provenance data generated from the Build stage for verification purposes to ensure that container images are trusted and compliant before deploying them to the hosting environment.
Workflow for deploying container images
The Deploy stage has a workflow in place to deploy container image across hundreds or thousands of clusters around the world. Deployments can happen dynamically and on demand. Once the container images are built, verified, and signed, the CSSC framework promotes the container images and the relevant artifacts are available to distribute across registries for the Deploy stage.
- Implement Image integrity policy to verify image signatures before deployment to ensure they haven't been tampered with and come from trusted publishers.
- Implement Vulnerability scanning policy to scan container images for vulnerabilities, setting thresholds based on severity levels (CRITICAL, HIGH, MEDIUM, LOW), and deploy only compliant images.
- Implement License compliance policy to enforce restrictions on deploying container images with undesired licenses.
- Implement Provenance policy to verify that container images come from trusted sources and repositories before deployment.
- Implement Image lifecycle policy to ensure deployed images are within support and valid, restricting deployment of end-of-life and end-of-support images.
- Generate and sign vulnerability and malware reports for each image to prevent tampering and secure their integrity.
- Attach the signed reports to container images for visibility and compliance validation during deployment.
- Verify container image metadata, including SBOMs, image signatures, vulnerability reports, lifecycle metadata, and provenance data.
- Implement admission control mechanisms to enforce deployment policies and restrict the deployment of non-compliant container images.
- Automate deployment processes with CI/CD pipelines, integrating image validation and verification checks.
- Continuously monitor deployed images and enforce compliance for detecting new vulnerabilities, compliance deviations, and take remediation actions as needed.
- Log deployment activities and conduct regular audits to ensure adherence to security and compliance standards.
- Implement automated or manual remediation procedures to address security incidents or compliance deviations.
- Document the deployment process, including steps taken, tools used, and any security measures implemented, for future reference and auditing purposes.
Recommended practices
Microsoft recommends validating image metadata at deployment time, and only deploying container images from trusted registries. The following practices are recommended for securing your cloud native workloads.
- Enforce deployment policies that verify metadata and restrict non-compliant container images. This prevents unapproved images from being deployed.
- Enforce deployment policies that validate image signatures before deploying images. This ensures that images used for deployment are from a trusted publisher and have not been tampered with.
- Enforce deployment policies based on vulnerability score. This prevents deploying images with vulnerabilities above a certain threshold (CRITICAL, HIGH, MEDIUM, LOW).
- Enforce deployment policies that verify lifecycle information in order to ensure that end-of-support images will not used in deployment.
- Ensure the deployment environment and platform have secure network connectivity.
- Require strict authentication, access control, and file permissions to deny unauthorized access to the deployment platform. This avoids potential leaked credentials or unauthorized changes.
- Automate the verification process in CI/CD pipeline.
Security goals in the Deploy stage
Having a well-defined workflow for the deployment of images helps enterprises increase their security and reduce the attack surface on their supply chain for containers. The Deploy stage of the CSSC framework is intended to satisfy the following security goals.
Deploy images from trusted and compliant sources
Security policies should be implemented during the Deploy stage to verify that container images are from trusted sources and are not tampered with. Integrity and authenticity can be validated by verifying the container images signatures before deployment.
Implement admission control security policies
Security policies should be implemented during the Deploy stage to verify that container images are compliant. This is achieved by verifying the container images against the following security metadata: vulnerability and malware reports,image signature, SBOMs, image lifecycle metadata, and provenance metadata.
Recommended tools
Tools and services for validating image metadata and enforce validation policy
Ratify is an open-source project that enables Kubernetes clusters to verify security metadata prior to deployment and only admit images that comply with an admission policy. We recommend configuring Ratify and Gatekeeper to allow only trusted and compliant container images to run on your Kubernetes clusters.
Gatekeeper is an open-source and CNCF project that provides a dynamic admission controller and a policy engine to define, enforce, and audit policies on Kubernetes clusters in a standardized manner.
Azure Policy extends Gatekeeper to allow built-in policies to be applied across your Azure Kubernetes Service clusters to audit or block deployments referencing container images from external registries or untrusted sources.
Tools for attaching image metadata
ORAS is a CNCF project that provides a way to store and manage artifacts in OCI-compliant registries. ORAS enables you to store and manage any type of artifact, including container images, image metadata, and more, in an OCI compliant registry. It also provides a set of command-line tools that make it easy to interact with OCI-compliant registries. We recommend using ORAS to push the generated vulnerability and malware reports, SBOM, image lifecycle metadata, and provenance metadata along side with the associated image to the registry.
Tools for signing and verifying container images and metadata
The Notary Project is an open-source project that contains a set of specifications and tools intended to provide cross-industry standards for securing software supply chains through signing and verification, signature portability, and key/certificate management. Notation is a supply chain tool developed by the Notary Project community that supports signing and verifying artifacts in Open Container Initiative (OCI) compliant registries enabling signature portability and interoperability. It also provides integration with third-party key management solutions through a plugin model, enabling extensibility. We recommend using Notary Project tooling to sign container images and metadata to ensure authenticity and non-tampering.
Next steps
See overview of the Run stage to securely deploy container images.