Container Security (Part 2 of 3)

By Ashwin Venugopal -

 



To read part 1 of 3 please click here
To read part 3 of 3 please click here


Azure Container Registry (ACR)

Registry

A container registry is known as a service that stores and distributes container images while providing the users with direct control of their images, with integrated authentication, geo-replication supporting global distribution and reliability for network-close deployments, virtual network and firewall configuration, tag locking, and many other enhanced features.
Besides Docker container images, ACR supports related content artifacts including Open Container Initiative (OCR) image formats.

Security and Access

ACI transfers container's images over HTTPS and supports TLS to secure client connections. Security features of the Premium SKU includes content trust for image tag signing, firewalls and virtual networks to restrict access to the registry. Azure Security Center optionally integrates with ACR to scan images whenever an image is pushed to a registry.

Repository

Container registries manage repositories, collections of container images or other artifacts with the same name but different tags. For example- acr-helloworld:latest, acr-helloworld:v1, acr-helloworld:v2 

Image

A container image or other artifact within a registry is associated with one or more tags, has one or more layers, and is identified by a manifest. Understanding how these components relate to each other can help you manage your registry effectively.

Monitor container activity and user access

The container monitoring solution in Log Analytics can help you view and manage your Docker and Windows container host in a single location. By using Log analytics you can:
  • View detailed audit information that shows commands used with containers.
  • Troubleshoot containers by viewing and searching centralized logs without having to remotely view Docker or Windows hosts.
  • Find containers that may be noisy and consuming access resources on a host.
  • View centralized CPU, memory, storage, network usage and performance information for containers. 
Containers makes it possible to run multiple instances of an application on a single instance of an OS, thereby using resources more efficiently; hence providing agility, streamlined operations, scalability and reduced costs due to resource optimization.

 Authenticate with an Azure Container Registry

There are several ways to authenticate with an ACR, each of which is applicable to one or more registry usage scenarios. The following table lists available authentication methods and recommended scenarios:

Identity

Usage scenario

Details

Azure AD identities including user and service principles.

Unattended push from DevOps, unattended pull to Azure or external services.

Role-based access control- Reader, Contributor, Owner

Individual AD Identity

Interactive push/pull by developers and testers

 

Admin user

Interactive push/pull by individual developers and testers

By default, disabled

 Individual login with Azure AD

When you login by using the az acr login command in the Azure CLI, it (CLI) uses the token created when you executed az login to seamlessly authenticate your session with your registry. To complete the execution flow Docker must be installed and running in your environment which can be used by az acr login to set an Azure Active Directory token in the docker.config file. Once you've logged in this way, your credentials are cached, and subsequent docker commands in your session do not require a username or password.

Service principle

If you assign a service principle to your registry, your application or service can use it for headless authentication. Multiple service principles allow you to define different access for different applications. The available roles for a container registry includes- AcrPull: pull, AcrPush: pull and push, Owner: pull, push, and assign roles to other users.  

Admin account

Each container registry includes an admin user account, which is disabled by default and can be enabled easily. The admin account is provided with two passwords, both of which can be regenerated and allows you to maintain connection to the registry by using one password while you regenerate the other. If the admin account is enabled, you can pass the username and either password to the docker login command when prompted for basic authentication to the registry.


To read part 1 of 3 please click here
To read part 3 of 3 please click here





















Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more