Securing Your Kubernetes Deployment with Anchore
Anchore ensures that only the right images are deployed and run in your Kubernetes environment
How Anchore Fits into a Kubernetes Deployment
Anchore provides the ability to inspect, query, and apply policies to container images prior to deployment in your private container registry, ensuring that only images that meet your organization’s policies are deployed in your Kubernetes environment.
Anchore can be integrated with Kubernetes using admission controllers to ensure that images are validated before being launched. This ensures that images that fall out of compliance, for example due to new security vulnerabilities discovered, can be blocked from running within your environment. Anchore can be deployed standalone or as a service running within your Kubernetes environment.
Securing the pipeline into Kubernetes
Anchore is deployed as part of the CI/CD pipeline to scan container images as they are built, validating these images against user defined policies. These policies can include checks on security vulnerabilities, package whitelists, blacklists, configuration file contents, presence of credentials in image, manifest changes, exposed ports or other user defined checks. Only if the images pass these policy checks are they allowed to continue to the next stage of the build pipeline and then into the container registry used by Kubernetes.
Ensure that only certified images are launched by Kubernetes
Anchore can be integrated with Kubernetes using an admission controller that communicates with the Anchore Engine before running a container to ensure that the container image is compliant with the organization’s policies. Anchore uses native Kubernetes APIs and does not require any configuration changes or software installed on the host – no Docker plugins or privileged containers are required.