Container Security — Build to Runtime

01. 01. 2024 1 min čtení intermediate

Cloud Expert

Container Security — Build to Runtime¶

KontejnerySecuritySupply ChainRuntime 5 min čtení

Image hardening, supply chain, runtime protection a scanning.

Build-time¶

FROM node:20-slim AS builder
WORKDIR /app
COPY package*.json ./
RUN npm ci --only=production
COPY . .
RUN npm run build

FROM gcr.io/distroless/nodejs20-debian12
COPY --from=builder /app/dist /app
USER nonroot:nonroot
CMD ["server.js"]

Supply Chain¶

# Cosign signing
cosign sign --key cosign.key myregistry/myapp:v1.2.3

# Kyverno verification policy
spec:
  rules:
    - verifyImages:
        - imageReferences: ["myregistry/*"]

Runtime¶

Falco — syscall monitoring
Seccomp profiles
Read-only filesystem
Resource limits

Shrnutí¶

Container security = distroless + signed supply chain + admission policies + runtime monitoring.

Potřebujete pomoct s implementací?¶

Náš tým má zkušenosti s návrhem a implementací moderních architektur. Rádi vám pomůžeme.

Nezávazná konzultace

Další know-how

Bash scripting pro serverovou automatizaci

Prakticke bash skripty pro spravu Linux serveru. Deployment, backup, log rotace a monitoring.

HTML5 — budoucnost webu je tady

Semanticke elementy, Canvas, localStorage, geolokace — HTML5 meni zpusob tvorby webovych aplikaci. Kompletni prehled novinek.

Integrace Java aplikaci s Active Directory

Autentizace a autorizace uzivatelu v Java EE pres LDAP/Active Directory. JNDI, Spring Security.