8 hours 33 minutes
Hello, Siberians. Welcome to this lesson on a jock container registry security. This lesson is part of the sixth model off the Is that 500 Microsoft Azure Security technologies costs quick information on what are recovering in this lesson.
We'll start out by giving an overview off continent ization on the different aspect off. This technology
wouldn't give an overview off the as your content of registry, which are referred to as a see how going forward al cover how a CIA works. I'll cover the different years that we have for easy our on how that village security How cover a sea of security best practices I'll talk about SCR authentication and rope is access control.
I'll talk about scanning SCR images using security center. Let's get into this. So when we talk about continent physician as a technology, they usually treatment aspects that were referring to first of all, building continent images on then starring on distributing this continent images
and then finally
running those continent images When it comes to building continent images, that's an activity that's usually done by developers usually have the docker engine installed on their laptops on their computers that they're using for developments, and they'll be using the Doctor Butte Command hard. The doctor composed application
to build the continent images when the continent images abuse
and then is to be start somewhere and distributed for Does that needs to run the application on. That is where, as your content of registry comes in, as your content of registry is one of those services that we can use to start on, distribute continent images and then after storing and distributing our container images
there, we need to run those in actual environment and the multiple services that we can use to run containers in hasher, depending on the application, type that with along with. So, for example,
we can run our country images within virtual machines with incontinent instances within APP services. If their Web applications within as your function within as your batch within service fabric and within communities service. Now, for the purpose of this, cars will be focusing on container registry, and then we'll be talking about continent instances and community service.
A container registry is a managed docker registry service that we can use to star on distribute continent images on other artifact. Let's break this definition down a bit fast.
It is a managed service. What that means is we do not need to manage the underlying infrastructure operating system application. Second,
we can use the service to start and distribute content images and other artifact. But what are the other artifacts that we can use it to stop apart from continent images? What we can use it to start Arm chats, which is a package in format for deploying applications for communities. Joe Container Registry is
based on the open source Docker Registry 2.0 service, and this is the same seven that's the popular doctor Hard Registry is based on.
He's in the private content of registry service like a see how obsessed omitted gets the risk off malicious continent images. It else to do that because we can validates the images that are start in the service
before they actually start on. Distributed on finally as your container registry as tight integration with multiple order as your services, so that we can easily pull images from the registry
into deployments to get like community service, veteran machines functions are up service.
Let's look at how we work with a see how the faster we need to do is to create a content of registry with the Ouija Pato. I just see a lie, a lie, your partial, the developers that and beauty in the continent. Images can use DACA command to push images into the registry. Now the left inside, we have a developer that's just finished buildings,
two container images and then they can use the DACA Push Command to push this continent images
into the azure container registry service to start on distribute. And now, on the other hand, we have a deployment tigers that we wants to run this continent images in as applications. We can also use docker commands to pull the images from the registry on to deploy them locally on the deployments target.
So let's look at the different. Yes, off a see how that exists. We have the basic tear.
We have the standards there, and we have the premium tier. Now The basic tear is a cost optimized entry point for developers that Lenin about content of registry. It has the same capabilities that the standard here has. So it has to be really just like where book integration on just registry out indication with enjoyed, however, it
as less killed and the standards here does. So, for example, we have less storage capacity that included we have less network bandwidth unless
I ops Now. The standards here are some capabilities as the basic, but as we mentioned, it has increased storage limit on image trip, foot on dishes. Satisfied the needs off most production scenarios. And finally, we have the premium tier, which asked capabilities that
both the basic and stand that yes, do not have, especially when we talk about security features.
So, for example, the premium tier has security features like your application. Content trust allows us to do image signing private and point, which would talk about in a minute on encryption. Justin customer manage keys to enhance the default and Egyptian capabilities of the service on, Of course,
it has increased storage capacity on increased image True Boots than bought the basic Understand that, yes,
let's review very quickly the best practices when we talk about azure container registry. The first best practice is to configure service Far world, but this is only available for the premium service here. And what dismisses that by the fault one would create a content of registry. It's accessible to the entire Internet.
And maybe that's something that we want to use service firewall rules to lock down today it's not accessible.
Every I p address from the Internet. Second best practice is to restrict access using private endpoint, so dis capability is only available to the premium tier off the service. Also on what this means is,
if we have a deployments, tie gets member running. Wouldn't private networks that were Austin and measure, or maybe even on premises, where we have some VPN connections without private network? What we can do is we can create a private
endpoint, which will be represented logically as an I P address in my private virtual network and that we are deployments. Targets can privately reach out through this I p address to make connections to the registry service. On also to receive the response back, he told, best practice is to encrypt with customer manage key.
This is also only available toe the premium service tear on Lee
on the advantage of this is just enhanced privacy by the faults. The images that were starving in the services are encrypted. However, the encrypted with a key that's managed by Microsoft. So if you want to enhance that for privacy properties, we can announce that by using our own customer. Manage Key
for best practices is to use as you're a diva obeys access control for secure authentication and access control.
Well, look at this in the next light. The other best practice is to implement content trust for image signing so that that way, the publisher of the image can sign the image to ensure that the consumer can verify
that the image has not been tampered with in any way. Another best practice is to implement image scanning, which requires the use off as your security center.
We'll also talk about this in another slight where we talk about a see how authentication options, their two main options that we have
using the admin user authentication. This essentially something similar to a local user name on local password for authentication. So in this case, the users are services that are using images and the registry or publishing the images
can make request using a local user name on a password
on. Then they can get the response back. However, this gives them something equivalent of full control off this registry service. The other option is to use as your 80 with robots access control on. In this model, the user can authenticate stowage or 80
often talking from majority and then use the talking toe identify themselves to the continent Registry service. Also
in this model, the user is only going to have the permissions that was defined using role based access control on the service. So talking about permissions, she's in robots Access control. What are the different rows that we can assign to use this and services? The owner on the contribute of those
have a broad set off permissions, and they should be used sparingly.
They have access to Boston management plane on the data plane off a see how
we have, the reader wrote. The riddle allows the permission to pull images from the registry, but also to access the resource manager.
We have the SC out push through, which allows the permission to pull images from the registry, but also to push images into the registry. So this road can be a science to image publishers, but also toe image consumers.
We have the see how pool, which I last permission to be able to pull images on Lee. So if a service user only needs the permission to pull images, this is a good vote or sign. This would give them access to the management plane like the video will do.
We have the S e out the literal, which gives the permission to the late images from the registry. And finally we have the image Sinovel, which gives the ability to sign images. And this is something that we usually assigned to an automated process. So finally, let's talk about Image Canyon with security center
on. The purpose of this estimate gets tavisca vulnerable. Malicious continent images
been start in SC help because images may include run times and libraries that could become out of date or become vulnerable on. It's always a good proxies to ensure that we continually scanning our images for fun of abilities to ensure that we're always using off to the division of one time on libraries.
Another fast to use dysfunctionality
when next, tohave the stand back there off as your security center. Talk about at your security center in another module in this cost, so the way that this works is that after an image is pushed into a see how security centaur been notified on, this is going to trigger an image. Can using the quality vulnerability SCANA
and the results can be obtained directly from as your security center,
all via the AP High Off Security Center. He has some supplementary links for further studies off the topics that covered in this lesson and has a somebody off what we covered in this lesson who started out by covering an overview of continent physician. We talked about the three processes within covered under review off your content of registry.
We discussed our A C I works.
We talked about the different years off a see how, on our village security we come out a CR security best practices who discussed a CR authentication and always access control on. Finally, we looked at image canon with security center. Thanks very much for watching this video on. I'll see you in the next lesson