As an SRE, I’m always on the look out for tooling that can help me do my job better. The Kubernetes ecosystem is filled with amazing tools, especially ones that can validate that your clusters and container images are configured in a reliable and secure fashion. One such tool is dockle. If you haven’t heard of it, dockle is a container scanning tool that can be used verify that your containers are adhering to best practices.
To get started with dockle, you can pass the name of a repository and an optional tag as an argument:
$ dockle kindest/node
WARN - CIS-DI-0001: Create a user for the container
* Last user should not be root
WARN - DKL-DI-0006: Avoid latest tag
* Avoid 'latest' tag
INFO - CIS-DI-0005: Enable Content trust for Docker
* export DOCKER_CONTENT_TRUST=1 before docker pull/build
INFO - CIS-DI-0006: Add HEALTHCHECK instruction to the container image
* not found HEALTHCHECK statement
INFO - CIS-DI-0008: Confirm safety of setuid/setgid files
* setgid file: usr/bin/expiry grwxr-xr-x
* setuid file: usr/bin/su urwxr-xr-x
* setuid file: usr/bin/newgrp urwxr-xr-x
* setuid file: usr/bin/chfn urwxr-xr-x
* setuid file: usr/bin/passwd urwxr-xr-x
* setuid file: usr/bin/chsh urwxr-xr-x
* setuid file: usr/bin/mount urwxr-xr-x
* setuid file: usr/bin/umount urwxr-xr-x
* setuid file: usr/bin/gpasswd urwxr-xr-x
* setgid file: usr/bin/chage grwxr-xr-x
* setgid file: usr/sbin/pam_extrausers_chkpwd grwxr-xr-x
* setgid file: usr/sbin/unix_chkpwd grwxr-xr-x
* setgid file: usr/bin/wall grwxr-xr-x
Dockle will then inspect the container image and provide feedback on STDOUT. The output contains the checkpoint that triggered the output, as well as a description of what if found. I really dig the concise output, as well as the ability to ignore warnings and control the exit codes that are produced. It’s easy to add this to your CI/CD pipeline, and is a nice compliment to container scanning tools such as Clair and Trivy. Super cool project!