Skip to content

Commit

Permalink
Update image.md
Browse files Browse the repository at this point in the history
  • Loading branch information
jicowan authored Sep 7, 2023
1 parent 4ede272 commit dc6eef8
Showing 1 changed file with 8 additions and 8 deletions.
16 changes: 8 additions & 8 deletions content/security/docs/image.md
Original file line number Diff line number Diff line change
Expand Up @@ -129,7 +129,7 @@ Each ECR repository can have a lifecycle policy that sets rules for when images
* Filtering by tagged or untagged images
* Filtering by image tags, either in multiple rules or a single rule

???+ warning
???+ warning
If the image for long running application is purged from ECR, it can cause an image pull errors when the application is redeployed or scaled horizontally. When using image lifecycle policies, be sure you have good CI/CD practices in place to keep deployments and the images that they reference up to date and always create [image] expiry rules that account for how often you do releases/deployments.

### Create a set of curated images
Expand Down Expand Up @@ -182,13 +182,13 @@ For example we can write a policy that cryptographically verifies the signature

Examples of admission controller include:

* https://kyverno.io/
* https://github.com/open-policy-agent/gatekeeper
* https://github.com/IBM/portieris
* https://github.com/deislabs/ratify
* https://github.com/grafeas/kritis
* https://github.com/kelseyhightower/grafeas-tutorial
* https://github.com/Shopify/voucher
* [https://kyverno.io/](Kyverno)
* [https://github.com/open-policy-agent/gatekeeper](OPA Gatekeeper)
* [https://github.com/IBM/portieris](Portieris)
* [https://github.com/deislabs/ratify](Ratify)
* [https://github.com/grafeas/kritis](Kritis)
* [https://github.com/kelseyhightower/grafeas-tutorial](Grafeas tutorial)
* [https://github.com/Shopify/voucher](Voucher)

### Update the packages in your container images
You should include RUN `apt-get update && apt-get upgrade` in your Dockerfiles to upgrade the packages in your images. Although upgrading requires you to run as root, this occurs during image build phase. The application doesn't need to run as root. You can install the updates and then switch to a different user with the USER directive. If your base image runs as a non-root user, switch to root and back; don't solely rely on the maintainers of the base image to install the latest security updates.
Expand Down

0 comments on commit dc6eef8

Please sign in to comment.