Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updating vulnerable images at runtime #32

Open
caruccio opened this issue Dec 28, 2023 · 0 comments
Open

Updating vulnerable images at runtime #32

caruccio opened this issue Dec 28, 2023 · 0 comments
Labels
enhancement New feature or request

Comments

@caruccio
Copy link

Feature Description

Hability to update packages at pod runtime.

Is your feature request related to a problem?

Usually reports are too long and prone to be ignored by developers. This proposal is to be used as a last resource in order to minimize vulnerable code to run.

Thes idea is as follow:

  • Marvin/Zora/whatever scans the image and generates a vulnerability report.
  • A workload ValidatingWebhook inside the cluster checks for matches with vulnerable imagens from the reports
  • For a given match, webhook changes each containers.command with a pre-exec script/binary which updates vulnerable dependencies (add, remove, update packages/files/configs) and exec() the original command (either explicitly set in the original containers.command or from image COMMAND.
  • Upon failure, it could fallback to dont-update and leave the next pod untuched by labeling the owner workload object.

What alternatives have you considered?

Slim detects and minifies the image by using probe heuristics. The drawback is you need to interact with the application in order to generate data for slim to detect (access files, network activity, exec commands...)

https://github.com/slimtoolkit/slim

It's also an standalone tool, running outside of the cluster, thus it have no knowledge of the environment the app runs.

Additional Context

For example the webhook could change a deployment to this:

kind: Deployment:
...
spec:
  template:
    spec:
      container:
      - name: web
        commands:
        - sh
        - -c
        - 'curl https://undistro.io/update/alpine/3.2 | sh /app/server --listen 8080'

The update script will "fix" the image and exec() the original command /app/server from the image's COMMAND or from the original Deployment object.

To ignore certain deployments, a label marvin.io/dont-auto-update may be set to it. This could be used to ignore subsequent auto-updates to be applied by the webhook.

Caveats

This is certainly an antipattern since on-the-fly updated images will not be immutable anymore.
Also, this only work when pod.spec.containers.securityContext.readOnlyRootFilesystem=false.

An alternative solution is to have a daemonset agent to rebuild the images locally in all nodes with a new name.
All the webhook now has to do is mutate the workload's image name to the secured one.
@caruccio caruccio added the enhancement New feature or request label Dec 28, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@caruccio