http://aws-core-labs.rofriday.com/30_secure_container/index.html Securing your Container Base Image Estimated Completion Time: 30 minutes Introduction In this module we will learn about Container Base Image vulnerabilities, and how to use the most secure base image possible for your application. Hugo en-US http://aws-core-labs.rofriday.com/30_secure_container/31_container_exploit/index.html Mon, 01 Jan 0001 00:00:00 +0000 http://aws-core-labs.rofriday.com/30_secure_container/31_container_exploit/index.html 🚨 WARNING 🚨 ::alert[This exploit should never be attempted in a running Production Account! This is for testing only!]{type=“warning”} Thumbnailer microservice Putting an application into a container does not automatically make it secure. To demonstrate the risks of a vulnerable component introduced by our container base image, we will exploit a vulnerability in the ImageMagick package present in the “thumbnailer” pod we’ve deployed to EKS. Thumbnailer is a microservice written in Python that simply takes an uploaded image and returns a 100x100 scaled down thumbnail version. The application leverages the ImageMagick convert utility to do the work. This is very convenient since the official Python open source conatiner image comes with that tool pre-installed. http://aws-core-labs.rofriday.com/30_secure_container/32_image_recommendations/index.html Mon, 01 Jan 0001 00:00:00 +0000 http://aws-core-labs.rofriday.com/30_secure_container/32_image_recommendations/index.html Scan the Container Image for Vulnerabilities Vulnerable components like the version of ImageMagick present in our container image can be identified by Snyk. Developers using the Snyk CLI can run snyk container test to scan containers to get vulnerability information and base image upgrade guidance. Scan the image (assuming you are in the thumbnailer directory of your goof repo) by running the following command: snyk container test $REPO/thumbnailer:latest --file=Dockerfile --exclude-app-vulns When the scan completes, review the list of vulnerabilities. There are quite a few! http://aws-core-labs.rofriday.com/30_secure_container/34_redeploy_test/index.html Mon, 01 Jan 0001 00:00:00 +0000 http://aws-core-labs.rofriday.com/30_secure_container/34_redeploy_test/index.html Now that we have rebuilt our image, let’s push it up to the ECR and re-deploy the more secure build of the application. Push to ECR docker push $REPO/thumbnailer:latest Re-deploy the Application to EKS Deploy it to EKS by scaling the goof deployment with kubectl now that the newer image is in the repo. The ImagePullPolicy of the deployment will force EKS to pull the latest image from the ECR.