A Secure Supply Chain for Kubernetes

Jenny Fong

Feb 28 2018

The beta release of the Docker Enterprise Edition (Docker EE) container platform last month integrates Kubernetes orchestration, running alongside Swarm, to provide a single container platform that supports both legacy and new applications running on-premises or in the cloud. For organizations that are exploring Kubernetes or deploying it in production, Docker EE offers integrated security for the entire lifecycle of a containerized application, providing an additional layer of security before the workload is deployed by Kubernetes and continuing to secure the application while it is running.

Mike Coleman previously discussed access controls for Kubernetes. This week we’ll begin discussing how Docker EE secures the Kubernetes supply chain.

What is a Software Supply Chain?

When you purchase something from a retail store, there is an entire supply chain that gets the product from raw materials to the manufacturer to you. Similarly, there is a software supply chain that takes an application from code on a developer’s laptop to production.

Every company’s software supply chain may be slightly different; some outsource software development, some have adopted Continuous Integration and Continuous Delivery processes, and some deploy production applications across multiple clouds, some on-premises. Regardless of what the software supply chain consists of, Docker EE provides a set of solutions that integrates with your workflows while ensuring that applications remain secure, trusted and safe through all of these steps using both Kubernetes and Swarm.

In this week’s blog, we’ll take a closer look at one part of this solution – image scanning and policy-based image promotions.

Secure Automation of Workflows for Kubernetes

Before an application is deployed in production, organizations typically want to know that it does not have any known vulnerabilities that often come from older releases or unpatched versions of software. It’s also difficult for large organizations to keep a full inventory of every application they have running that may be affected by a new vulnerability.

Docker EE provides image security scanning to help organizations both identify vulnerabilities before the applications are deployed in production and to alert you when new vulnerabilities affect existing applications. This is done by executing a binary-level scan of your images against the NIST list of known vulnerabilities. As shown below, each layer of an image can be thoroughly scanned to provide insight into the workload.

Docker EE also has the ability to define policies to automate the movement of images between repositories. These image promotion policies can be combined with the results of security scanning to create a secure, automated workflow for images moving to production.

For example, a developer is working on a new Kubernetes project with access to the ‘dev’ repository from which they can push and pull images. The repository is set up with image scanning to automatically scan all images when they are pushed to the repository. When the developer is ready to move this into production, they add a specific tag like “latest” to the image. Their repository is set up with an image promotion policy that states that if an image has the “latest” tag and has no critical vulnerabilities, it gets automatically copied or promoted to the ‘QA’ repository.

In this example, only the QA team has access to the QA folder, limiting access to only those who require it. This policy also ensures that developers are responsible for fixing any vulnerabilities before they are passed on to the QA team.

By combining these Docker EE capabilities, organizations can:

  • Automate the movement of images between repositories at scale
  • Enforce security scanning practices at certain stages of development
  • Prevent applications with known vulnerabilities from being deployed in production
  • Limit the access to sensitive repositories (like ‘production’) to only those who require it, while still removing bottlenecks in the process by defining appropriate policies

These are all critical workflows that happen prior to the app being deployed in production with Kubernetes. With Docker EE you get the only container platform with integrated security across the entire supply chain. For more information about Docker’s Secure Supply Chain for Kubernetes watch the following on-demand video: 


 Learn more about Docker Enterprise Edition with Kubernetes integration:


2 thoughts on “A Secure Supply Chain for Kubernetes

  1. Hi Jenny,

    Thanks for sharing those Docker EE capabilities and it's contribution to a secure supply chain. Really interesting! Keep up the good work! Docker is awesome!
    Kind regards. Feisal Lam-Lion

  2. The I agree with the prior article's idea of adding RBAC to K8s using Docker EE the idea presented in this post of automating K8s Supply Chain by the promotion of images based on tagging needs further work and reconsideration.

    Most project QA is focused on stabilizing release candidates which have already passed more rigorous testing and verification than the "dev" images pushed up on a daily basis from the pipelines. While the idea of automated security scanning sounds terrific in principle, the reality is such scanning seldom detects security issues with enough accuracy (because of the poor or inadequate 'signature' in-house databases most organizations use to be of much value as protection.

    I haven't pulled up and read all the docs on this new feature yet, but after several years of security testing experience, there's no substitute for 'building security in' which mean adding security considerations to the design and development phases, and not bolting it on (or checking for the bolts) at the delivery end of the pipeline.

Leave a Reply