Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. Containers, metadata and you Liz Rice @lizrice | @aquasecteam

2 @lizrice Containers

3 @lizrice Container Images

4 @lizrice

Metadata you can build in

6 @lizrice Container images Dockerfile FROM MAINTAINER COPY CMD LABEL Image File system layer Metadata Metadata File system layer Metadata

7 @lizrice

8 @lizrice The only true identifier for an image is its SHA

9 @lizrice The only true identifier for an image is its SHA sha256:da4fd23ca6bf973782f20c1c946fdb74d 0a17f874c634bfa82b0999975fb347c

After the build

11 @lizrice Image stored in a registry with a tag [my.registry.io/]my-org-name/my-repo:tag lizrice/hello:3

12 @lizrice Labels can refer to external files Dockerfile FROM ... LABEL Image File system layer Metadata URL

Is this sufficient?

14 @lizrice ■ Testing ■ Vulnerability scanning ■ Security profiling ■ Approvals & signoffs ■ … ■ Deploy ■ … ■ Support ■ Prune What happens to your images after they’re built? - test results - vulnerability reports - seccomp / AppArmor profile - signoff records - check / use these? - support team contacts - deployment records

Post-build metadata

16 @lizrice

17 @lizrice registry myorg/myrepo Store metadata for an image sha256:0a3... sha256:178... latest 1.4 images data blobs 1.3 metadata

18 @lizrice Store metadata for an image registry myorg/myrepo sha256:0a3... sha256:178... latest 1.4 images data blobs 1.3 _manifesto metadata

Manifesto demo

52.174.107.27

Admission control pattern

No content

23 @lizrice Admission control Start deploy Is image OK? Run image Fail Check the metadata for the image ■ Test results? ■ Approvals? ■ Image / vulnerability policies?

Admission control demo

Trusted metadata

26 @lizrice

27 @lizrice

Copyright @ 2017 Aqua Security Software Ltd. All Rights Reserved. github.com/aquasecurity/manifesto