You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/operator-best-practices-container-image-management.md
-13Lines changed: 0 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -18,7 +18,6 @@ This article focuses on how to secure your containers in AKS. You learn how to:
18
18
19
19
> [!div class="checklist"]
20
20
> * Scan for and remediate image vulnerabilities
21
-
> * Use a trusted registry with digitally signed container images
22
21
> * Automatically trigger and redeploy container images when a base image is updated
23
22
24
23
You can also read the best practices for [cluster security][best-practices-cluster-security] and for [pod security][best-practices-pod-security].
@@ -33,16 +32,6 @@ One concern with the adoption of container-based workloads is verifying the secu
33
32
34
33
In a real-world example, you can use a continuous integration and continuous deployment (CI/CD) pipeline to automate the image scans, verification, and deployments. Azure Container Registry includes these vulnerabilities scanning capabilities.
35
34
36
-
## Use a trusted registry
37
-
38
-
**Best practice guidance** - Limit the image registries that pods and deployments can use. Only allow trusted registries where you validate and control the images that are available.
39
-
40
-
For additional security, you can also digitally sign your container images just like you can digitally sign your application code. You then only permit AKS to deploy signed images. This process provides an additional layer of security in that you limit AKS to only pull images digitally signed and trusted by you, not just images that pass a vulnerability check. You also make sure that the container image has not been tampered with and replaced by an image with the exact same name.
41
-
42
-
Trusted registries that provide digitally signed container images add complexity to your environment, but may be required for certain policy or regulatory compliance. Azure Container Registry supports the use of trusted registries and signed images.
43
-
44
-
For more information about digitally signed images, see [Content trust in Azure Container Registry][acr-content-trust].
45
-
46
35
## Automatically build new images on base image update
47
36
48
37
**Best practice guidance** - As you use base images for application images, use automation to build new images when the base image is updated. As those base images typically include security fixes, update any downstream application container images.
@@ -58,7 +47,6 @@ For more information about base image updates, see [Automate image builds on bas
58
47
This article focused on how to secure your containers. To implement some of these areas, see the following articles:
59
48
60
49
*[Automate image builds on base image update with Azure Container Registry Tasks][acr-base-image-update]
61
-
*[Content trust in Azure Container Registry][acr-content-trust]
0 commit comments