27. Container Image Management Practice

Date: 2023-06-30

Status

Proposed

Context

The purpose of this document is to establish container image management practices for Konflux container images that are deployed in the staging and production environments. The goal is to ensure that Konflux is continuously maintaining secure operations that are in accordance with the ESS SEC-PATCH-REQ-2 (OS Patching) requirements.

Scope

Decision

Role

Component Team: Develops and maintains components that are built as images and deployed as part of Konflux

Responsibilities

Automated Build and Scanning

Onboard to Pipelines As Code (PaC)

Component Teams are responsible for ensuring their container images are continuously built and scanned for vulnerabilities by following the Extending the Service process to onboard their component to the PaC service.


Container Images

Trigger Builds

Under the PaC service, images are rebuilt when there are updates to the component’s git repository but additional configuration is needed in the Dockerfile to ensure the underlying base (UBI) images are updated with the latest packages (see the HAS example) or at the very least, the latest security updates. This will minimize the gap between patching and should meet our CVE timelines as long as the repository is active.

Component teams are encouraged to install renovatebot to keep their dependencies up to date.

Scheduled Builds

Since image updates are based on how active our repos are, there is the risk that over time, as code stabilizes and/or enters maintenance mode, the triggers for rebuilds will be less frequent which will cause the images to degrade. To avoid this, component teams should also ensure there are scheduled, weekly builds or builds driven by renovatebot or dependabot in place.

New Components

Newly onboarded components are required to use a fully supported and patched major version release for their base images per ESS SEC-PATCH-REQ-2 requirement #3. Installing renovatebot can help achieve this requirement.


Vulnerability Alerts

It is recommended that component teams set up notifications to receive vulnerability alerts that are at least medium severity. This can be done in a couple of ways:


Remediation

While our automation process will ensure that component teams are keeping their images updated, security scanners are not perfect. Vulnerabilities can be reported through other channels, in which case, component teams must assess the severity of these findings and remediate according to the Infosec Remediation Guidelines


End of Life Base Images (EOL)

Component teams should be aware of the lifecycle policy for their base images by referring to the RedHat Product Lifecycle page. Any base image version that is within 3 months of retiring must be updated to the latest patched major release. This should be supported by the deprecated-base-image check in the PAC pipeline.


Exception Process

The Red Hat Product Security Exception Process must be followed in the event that images cannot be patched or updated within the remediation timelines. Some example scenarios:

Consequences

In summary, component teams should have the following in place in order to meet ESS requirements:

See also RHTAP-828.