search

ml-tooling / contaxy

MIT License
10 stars 8 forks source link

Feature: Allow admins to maintain a list of allowed docker images #18

Closed JNKielmann closed 3 years ago

JNKielmann commented 3 years ago

Problem statement

In our organization we need to make sure that only images that were previously scanned for security vulnerabilities are run on our systems. Therefore, we require some way to only allow a specific set of images that can be used for starting services and jobs.

Solution

This PR implements an allowed-images API which can be used by admins to maintain a list of allowed images. Only images on this list can be used for new services and jobs. In the future, an extension could be build, that scans provided docker images and adds them to the list of allowed images. This would also allow normal users to bring their own images.

This is a first proof of concept implementation. I am happy to change the API or implementation :)

API Additions

The following API endpoints were added to the contaxy API. They were added under the /system path as this seemed most fitting (the other path that allow interact with services and jobs are all specific to a project but this allowed images list should be globally enforced). Alternatively a new path /config could be added?

POST /system/allowed-images Add a new allowed image with a request body like this:

{
  "image_name": "my-scanned-image",
  "image_tags": [
    "0.1.2",
    "0.2.0"
  ]
}

This will allow the images my-scanned-image:0.1.2 and my-scanned-image:0.2.0. You can also allow all tags for an image by adding "*" to the "image_tags" list. This method can also be used to override an existing allowed image to change the allowed image tags.

GET /system/allowed-images This will return the list of allowed images:

[
  {
    "image_name": "my-scanned-image",
    "image_tags": [
      "0.1.1"
    ]
  },
    {
    "image_name": "myregistry.com:8080/other-allowed-image",
    "image_tags": [
      "*"
    ]
  }
]

DELETE /system/allowed-images?image_name=my-scanned-image Deletes an allowed image so no new services with that image can be spawned. The image name is passed as a query parameter instead of the path (DELETE /system/allowed-image/my-scanned-image) because the image name can contain slashes.

JNKielmann commented 3 years ago

Build pipeline fails due to https://github.com/ml-tooling/universal-build/issues/34