propose path forward for TTS/GSA use of Docker registries

[afeld]

Background Information

Per https://github.com/18F/tts-tech-portfolio-private/issues/947#issuecomment-706273874, "DockerHub…will not be providing any security information nor do they seem to do security in the way we'd like." Not a great situation. Options:

• Avoid use of Docker Hub entirely
  • Would be a lot of work, since basically everything uses it as an upstream
• Use Docker Hub with conditions, e.g.
  • Only for local development / outside of production
  • Only with an intermediate registry that does scanning

Probably worth doing some threat modeling to make sure everyone's on the same page about what we are protecting ourselves against.

TTS isn't the only part of GSA using containers, so we should see what's being done in GSA IT, FAS Cloud Services, etc.

Implementation Steps

• [ ] Get a hold of any GSA-wide security documentation around containers, e.g. the hardening guide (that seems to have disappeared…?)
• [x] Find out what GSA Security is doing
• [ ] Find out what FAS Cloud Services is doing
• [ ] Write up proposal
• [ ] Get feedback within TTS
• [ ] Send proposal to Security and CTO

Acceptance Criteria

• [ ] We have a identified a container registry for TTS

[afeld]

The GSA Container Security Benchmark may be useful here.

[its-a-lisa-at-work]

I've found this article useful as a possible way forward https://github.com/microsoft/containerregistry https://azure.microsoft.com/en-us/blog/microsoft-syndicates-container-catalog/

[afeld]

New problem here: Free teams in DockerHub are now limited to three users. Getting this error when trying to manage users:

10 of 3 seats filled

[its-a-lisa-at-work]

I highly recommend that we look into partner with Platform One who is doing Container registry.

On Mon, Mar 29, 2021 at 12:18 PM Aidan Feldman @.***> wrote:

New problem here: Free teams in DockerHub are now limited to three users. Getting this error when trying to manage users:

10 of 3 seats filled

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/18F/tts-tech-portfolio/issues/983#issuecomment-809516800, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHPQBHVVDBNLRMXAVA24VZDTGCR3LANCNFSM4TQAKJCA .

[afeld]

@ManojChalise mentioned that GSA IT's DevSecOps Tiger Team is working on a centralized registry for GSA, which presumably/hopefully we can leverage. He said he'll send me whatever documentation/plans he can, and keep us updated.

[JJediny]

Connect with Devtools