Álvaro is a solutions engineer at Sysdig. Before that, he worked in an IoT and financial micro-transactions company for 11 years as a Ninja developer. Then, he discovered he had been doing the fuzzy concept of DevOps when Adidas hired him for CI/CD support and platform engineering. He loves dissecting things to discover the internals, but only for tech stuff, not living beings. Alvaro was also the founder and leader of AMSN (an open-source clone of MSN messenger) project several years ago.
Attack of the mutant tags!
In container land, image tags are mutants. Are you using “latest” tag, or per-environment tags like “dev”, “staging”, “prod”, etc.? Then, you might not be aware, but you are already suffering their attack!
In this talk, we will analyze some use cases where mutability of tags could be troublesome, like: * Race conditions when deploying an image in different cluster nodes. * Time-of-Check vs Time-of-Use (TOCTOU) security issues that allows an attacker to trick image scanners with admission controllers or OPA Gatekeeper and run unverified images in Kubernetes. * Garbage collection not reclaiming space in the registry storage. * Accidental deletion of images using the registry API.
Should tags be always mutable? Immutable? Should we use regular expressions? How can we prevent these security incidents and accidents from happening? Which approach is the best? Join this session to find out!