CI/CD Pipeline

Learn how can we secure code in the application delivery process.

The previous chapter showed us how to threat-model Kubernetes using the STRIDE model. In this chapter, we’ll learn about security-related challenges we’re likely to encounter when implementing Kubernetes in the real world.

The chapter's goal is to show us things from the high-level view of a security architect. It does not provide cookbook-style solutions.

Security in the software delivery pipeline

Containers revolutionized the way we build, ship, and run applications. Unfortunately, this has also made it easier than ever to run dangerous code.

Let’s look at some ways to secure the supply chain that gets application code from a developer’s laptop to production servers.

Image repositories

We store images in public and private registries that we divide into repositories.

Public registries are on the internet and are the easiest way to push and pull images. However, we should be very careful when using them:

  1. We need to adequately protect the images we store on public registries.

  2. We should not trust the images we pull from public registries.

Some public registries have the concept of official images and community images. Generally, official images are safer than community images, ...