If something happens during the build process, or if a vulnerability is discovered after an image has been deployed, you can use tooling for automated, policy-based deployment. You can use triggers to rebuild and replace images instead of patching running containers, which is not recommended.
For example, you build an application using three container image layers: core, middleware, and applications. An issue is discovered in the core image and that image is rebuilt. After the build is complete, the image is pushed to the OpenShift Container Registry. OKD detects that the image has changed and automatically rebuilds and deploys the application image, based on the defined triggers. This change incorporates the fixed libraries and ensures that the production code is identical to the most current image.
The oc set triggers
command can be used to set a deployment trigger for a
deployment configuration. For example, to set an ImageChangeTrigger
in a
deployment configuration called frontend
:
$ oc set triggers dc/frontend \ --from-image=myproject/origin-ruby-sample:latest \ -c helloworld
It is important that the intended images are actually being deployed, that they are from trusted sources, and they have not been altered. Cryptographic signing provides this assurance. OKD enables cluster administrators to apply security policy that is broad or narrow, reflecting deployment environment and security requirements. Two parameters define this policy:
one or more registries (with optional project namespace)
trust type (accept, reject, or require public key(s))
With these policy parameters, registries or parts of registries, even individual images, may be whitelisted (accept), blacklisted (reject), or define a trust relationship using trusted public key(s) to ensure the source is cryptographically verified. The policy rules apply to nodes. Policy may be applied uniformly across all nodes or targeted for different node workloads (for example, build, zone, or environment).
{ "default": [{"type": "reject"}], "transports": { "docker": { "registry.access.redhat.com": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ] }, "atomic": { "172.30.1.1:5000/openshift": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" } ], "172.30.1.1:5000/production": [ { "type": "signedBy", "keyType": "GPGKeys", "keyPath": "/etc/pki/example.com/pubkey" } ], "172.30.1.1:5000": [{"type": "insecureAcceptAnything"}] } } }
The policy can be saved onto a node as /etc/containers/policy.json. This example enforces the following rules:
Require images from the Red Hat Registry (registry.access.redhat.com
) to be
signed by the Red Hat public key.
Require images from the OpenShift Container Registry in the openshift namespace to be signed by the Red Hat public key.
Require images from the OpenShift Container Registry in the production
namespace to be signed by the public key for example.com
.
Reject all other registries not specified by the global default
definition.
For specific instructions on configuring a host, see Enabling Image Signature Support. See the section below for details on Signature Transports. For more details on image signature policy, see the Signature verification policy file format source code documentation.
A signature transport is a way to store and retrieve the binary signature blob. There are two types of signature transports.
atomic
: Managed by the OKD API.
docker
: Served as a local file or by a web server.
Signatures using the atomic
transport type are managed by the OKD
API. Images must be stored by the OpenShift Container Registry. No additional
configuration is required due to the docker/distribution
extensions
API to auto-discover the image signature endpoint.
Signatures using the docker
transport type are served by local file or web
server. They have the benefit of the most flexibility: any container registry
can be used to serve images with an independent server to deliver binary
signatures.
However, the docker
transport type requires additional configuration. Each
node must be configured with the URI of the signature server using
arbitrarily-named YAML files placed into a directory on the host system,
/etc/containers/registries.d by default. The configuration files contain a
registry URI and a signature server URI, or sigstore:
docker: registry.access.redhat.com: sigstore: http://registry.access.redhat.com/content/sigstore/
This example file may be placed on each node as
/etc/containers/registries.d/redhat.com.yaml. It defines a signature server
(the sigstore
parameter) to serve signatures for the docker
transport type
for the Red Hat Registry (access.registry.redhat.com
). Placing these files
onto a cluster of nodes may be automated using Ansible, for example. No service
restart is required since policy and registries.d files are dynamically
loaded by the container runtime.
For more details, see the Registries Configuration Directory or Signature access protocols source code documentation.
OKD Cluster Administration Guide
Red Hat Knowledgebase
Source Code Reference
The Secret
object type provides a mechanism to hold sensitive information such
as passwords, OKD client configuration files, dockercfg files,
and private source repository credentials. secrets decouple sensitive content
from pods. You can mount secrets into containers using a volume plug-in or the
system can use secrets to perform actions on behalf of a pod.
For example, to add a secret to your deployment configuration using the web console so that it can access a private image repository:
Create a new project.
Navigate to Resources → secrets and create a new secret. Set Secret Type to Image Secret and Authentication Type to Image Registry Credentials to enter credentials for accessing a private image repository.
When creating a deployment configuration (for example, from the Add to Project → Deploy Image page), set the Pull Secret to your new secret.
ConfigMaps
are similar to secrets, but are designed to support working with
strings that do not contain sensitive information. The ConfigMap
object holds
key-value pairs of configuration data that can be consumed in pods or used to
store configuration data for system components such as controllers.
OKD Developer Guide
You can use security context constraints (SCCs) to define a set of conditions that a pod (a collection of containers) must run with in order to be accepted into the system.
Some aspects that can be managed by SCCs include:
Running of privileged containers.
Capabilities a container can request to be added.
Use of host directories as volumes.
SELinux context of the container.
Container user ID.
If you have the required permissions, you can adjust the default SCC policies to be more permissive.
OKD Architecture: Security Context Constraints
OKD Installation and Configuration: Security Warning
Discusses privileged containers