Image Provenance Chain
Definition
Image Provenance Chain refers to the documented history and origin of a container image, detailing its creation, modifications, and ownership throughout its lifecycle. This chain is crucial for ensuring the integrity and security of containerized applications, as it allows organizations to verify the authenticity of images and trace any changes back to their source. By maintaining a robust provenance chain, organizations can prevent the use of tampered or malicious images in their environments.
Secure Settings Example
# Example Kubernetes PodSecurityPolicy enforcing image provenance
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: enforce-image-provenance
spec:
allowedHostPaths:
- pathPrefix: "/trusted-registry"
readOnlyRootFilesystem: true
runAsUser:
rule: MustRunAsNonRoot
seLinux:
rule: RunAsAny
supplementalGroups:
rule: MustRunAs
ranges:
- min: 1
max: 65535
fsGroup:
rule: MustRunAs
ranges:
- min: 1
max: 65535
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
Insecure Settings Example
# Example of a Kubernetes Deployment without image provenance enforcement
apiVersion: apps/v1
kind: Deployment
metadata:
name: insecure-deployment
spec:
replicas: 3
selector:
matchLabels:
app: insecure-app
template:
metadata:
labels:
app: insecure-app
spec:
containers:
- name: insecure-container
image: untrusted-registry/insecure-image:latest
ports:
- containerPort: 80