You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The container images must be hardened, scanned, and signed to satisfy security minimums for production deployments (e.g., Docker, Kubernetes).
The popular approach to hardening seems to be switching to a source image that is comparatively free of CVEs, and that seems like the only sensible approach.
Our current images are sourcing the RedHat Universal Base Image (UBI) minimal variant, which reportedly has about 2/3 as many CVEs as a comparable Debian image, so we're not in the worst possible condition. Using the UBI is a prerequisite for OpenShift certification. So, if we decide to pursue that certification and have switched away from the UBI, we'd have to create a parallel UBI-based image build or switch back to the UBI.
Alternative images billed as "hardened" include ChainGuard's, USAF's Iron Bank, and Canonical's Chiselled.
The container images must be hardened, scanned, and signed to satisfy security minimums for production deployments (e.g., Docker, Kubernetes).
The popular approach to hardening seems to be switching to a source image that is comparatively free of CVEs, and that seems like the only sensible approach.
Our current images are sourcing the RedHat Universal Base Image (UBI) minimal variant, which reportedly has about 2/3 as many CVEs as a comparable Debian image, so we're not in the worst possible condition. Using the UBI is a prerequisite for OpenShift certification. So, if we decide to pursue that certification and have switched away from the UBI, we'd have to create a parallel UBI-based image build or switch back to the UBI.
Alternative images billed as "hardened" include ChainGuard's, USAF's Iron Bank, and Canonical's Chiselled.
Resources:
The text was updated successfully, but these errors were encountered: