Enhancing Deploy Pipeline Security: Binary Authorization Explained

Enhancing Deploy Pipeline Security: Binary Authorization Explained

Table of Contents:

1. Introduction
2. About Shopify
3. The Evolution of Deploying Applications
4. The Advantages of Docker
5. Introducing Binary Authorization
6. The Role of Policies
7. The Use of Attestations
8. The Voucher Tool
9. Handling Vulnerabilities
10. Integrating with Kubernetes

Article: Securing Your Deploy Pipeline with Binary Authorization

Introduction

In today's digital landscape, securing your deploy pipeline is of utmost importance. With the increasing number of cyber threats and vulnerabilities, organizations need to ensure that their applications and systems are protected against unauthorized access and potential attacks. One effective way to achieve this is through the use of Binary Authorization.

About Shopify

Shopify is a leading e-commerce platform that hosts over 600,000 online stores worldwide. As a production security engineer at Shopify, I am responsible for ensuring the security of our infrastructure and applications. Our team focuses on securing everything below the application level, including building secure docker images, deploying them securely, and securing Kubernetes for old infrastructure.

The Evolution of Deploying Applications

Before diving into the details of Binary Authorization, let's take a step back and look at how application deployment has evolved over the years. In the past, deploying applications on virtual machines (VMs) was a common practice. While VMs offered some level of virtualization and scalability, they came with certain drawbacks. Rolling out and maintaining VMs was challenging, and the mutability of VMs created security vulnerabilities.

The Advantages of Docker

With the introduction of Docker, deploying applications became much easier. Docker containers allowed for faster and more efficient deployment, as well as improved system isolation. By eliminating mutability, Docker containers offered enhanced security. However, deploying Docker containers still had its own set of challenges, especially when it came to ensuring the security of the container images.

Introducing Binary Authorization

Binary Authorization is a service that provides a way to determine whether a Docker container is safe to run in a production environment. By integrating Binary Authorization with Kubernetes, organizations can ensure that only authorized and secure container images are deployed. This ensures that potentially vulnerable or malicious container images are not run, minimizing the risk of security breaches.

The Role of Policies

Policies play a crucial role in the Binary Authorization process. Policies are YAML files that define what images should be whitelisted or blocked based on various criteria. Organizations can specify different enforcement modes, such as logging violations without blocking, blocking and audit logging, or requiring attestations. Policies can be configured at the project or cluster level, allowing for fine-grained control over image deployment.

The Use of Attestations

Attestations are digital signatures that validate the security and integrity of a Docker container image. Attestations are generated by a customizable attestation creator tool called Voucher. Voucher verifies various aspects of the container image, such as the source, vulnerabilities, and code coverage. The generated attestations are stored in a metadata server called Grafias.

Handling Vulnerabilities

One of the critical aspects of securing a deploy pipeline is addressing vulnerabilities. Continuous vulnerability scanning is crucial to ensure that container images remain secure over time. By regularly scanning images and storing vulnerability information in Grafias, organizations can enforce policies that prevent the deployment of vulnerable images. The Package Vulnerability Policy allows organizations to define which vulnerabilities are acceptable based on their severity.

Integrating with Kubernetes

Binary Authorization integrates seamlessly with Kubernetes through the use of admission controllers. An admission controller called Kritis acts as a validating admission controller and evaluates whether images meet the policy requirements. By leveraging admission controllers, organizations can enforce security checks at deployment time and prevent unauthorized or vulnerable images from being deployed.

Conclusion

Securing the deploy pipeline is a crucial aspect of maintaining a secure and reliable infrastructure. With the use of Binary Authorization, organizations can implement a robust security framework that ensures only authorized and secure container images are deployed. By leveraging policies, attestations, and continuous vulnerability scanning, organizations can minimize the risk of security breaches and keep their applications and systems secure.

Highlights:

1. Binary Authorization provides a way to determine whether a Docker container is safe to run in production.
2. Policies allow organizations to define which images should be whitelisted or blocked based on specific criteria.
3. Attestations are digital signatures that validate the security and integrity of a Docker container image.
4. Continuous vulnerability scanning is critical to address vulnerabilities in container images.
5. Integration with Kubernetes through admission controllers enforces security checks at deployment time.

FAQ:

Q: How does Binary Authorization work with Docker containers? A: Binary Authorization ensures that only authorized and secure container images are deployed in a production environment. It integrates with Kubernetes and uses policies and attestations to validate the security of Docker images.

Q: Can organizations customize the policies in Binary Authorization? A: Yes, organizations can customize policies based on their specific security requirements. Policies can be defined at the project or cluster level, allowing for fine-grained control over image deployment.

Q: What is the role of attestation in the Binary Authorization process? A: Attestations are digital signatures that validate the security and integrity of a Docker container image. They provide assurance that the container image has passed the necessary security checks and can be safely deployed.

Q: How does Binary Authorization handle vulnerabilities in container images? A: Continuous vulnerability scanning is crucial in addressing vulnerabilities. By regularly scanning container images and storing vulnerability information, organizations can enforce policies that prevent the deployment of vulnerable images.

Q: How does Binary Authorization integrate with Kubernetes? A: Binary Authorization integrates seamlessly with Kubernetes through the use of admission controllers. An admission controller called Kritis evaluates whether images meet the policy requirements and ensures only authorized images are deployed.