Container Security (Part 2 of 3)

 



To read part 1 of 3 please click here
To read part 3 of 3 please click here


Azure Container Registry (ACR)

Registry

A container registry is known as a service that stores and distributes container images while providing the users with direct control of their images, with integrated authentication, geo-replication supporting global distribution and reliability for network-close deployments, virtual network and firewall configuration, tag locking, and many other enhanced features.
Besides Docker container images, ACR supports related content artifacts including Open Container Initiative (OCR) image formats.

Security and Access

ACI transfers container's images over HTTPS and supports TLS to secure client connections. Security features of the Premium SKU includes content trust for image tag signing, firewalls and virtual networks to restrict access to the registry. Azure Security Center optionally integrates with ACR to scan images whenever an image is pushed to a registry.

Repository

Container registries manage repositories, collections of container images or other artifacts with the same name but different tags. For example- acr-helloworld:latest, acr-helloworld:v1, acr-helloworld:v2 

Image

A container image or other artifact within a registry is associated with one or more tags, has one or more layers, and is identified by a manifest. Understanding how these components relate to each other can help you manage your registry effectively.

Monitor container activity and user access

The container monitoring solution in Log Analytics can help you view and manage your Docker and Windows container host in a single location. By using Log analytics you can:
  • View detailed audit information that shows commands used with containers.
  • Troubleshoot containers by viewing and searching centralized logs without having to remotely view Docker or Windows hosts.
  • Find containers that may be noisy and consuming access resources on a host.
  • View centralized CPU, memory, storage, network usage and performance information for containers. 
Containers makes it possible to run multiple instances of an application on a single instance of an OS, thereby using resources more efficiently; hence providing agility, streamlined operations, scalability and reduced costs due to resource optimization.

 Authenticate with an Azure Container Registry

There are several ways to authenticate with an ACR, each of which is applicable to one or more registry usage scenarios. The following table lists available authentication methods and recommended scenarios:

Identity

Usage scenario

Details

Azure AD identities including user and service principles.

Unattended push from DevOps, unattended pull to Azure or external services.

Role-based access control- Reader, Contributor, Owner

Individual AD Identity

Interactive push/pull by developers and testers

 

Admin user

Interactive push/pull by individual developers and testers

By default, disabled

 Individual login with Azure AD

When you login by using the az acr login command in the Azure CLI, it (CLI) uses the token created when you executed az login to seamlessly authenticate your session with your registry. To complete the execution flow Docker must be installed and running in your environment which can be used by az acr login to set an Azure Active Directory token in the docker.config file. Once you've logged in this way, your credentials are cached, and subsequent docker commands in your session do not require a username or password.

Service principle

If you assign a service principle to your registry, your application or service can use it for headless authentication. Multiple service principles allow you to define different access for different applications. The available roles for a container registry includes- AcrPull: pull, AcrPush: pull and push, Owner: pull, push, and assign roles to other users.  

Admin account

Each container registry includes an admin user account, which is disabled by default and can be enabled easily. The admin account is provided with two passwords, both of which can be regenerated and allows you to maintain connection to the registry by using one password while you regenerate the other. If the admin account is enabled, you can pass the username and either password to the docker login command when prompted for basic authentication to the registry.


To read part 1 of 3 please click here
To read part 3 of 3 please click here





















Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)