[CKA] KodeKloud - Image Security

2024. 7. 20.

오늘은 Image Security에 관래 알아보겠습니다



A container image represents binary data that encapsulates an application and all its software dependencies. Container images are executable software bundles that can run standalone and that make very well defined assumptions about their runtime environmen



Image Security


Kubernetes에서 이미지 보안(Image Security)은 컨테이너 이미지를 안전하게 유지하고 실행하기 위해 중요한 다양한 기술과 모범 사례를 의미합니다. 이미지 보안은 주로 다음과 같은 영역으로 나눌 수 있습니다:


  • 이미지 서명 및 검증: Docker Content Trust와 같은 도구를 사용하여 이미지 서명 및 검증.
  • 이미지 스캔: Trivy, Clair, Anchore와 같은 도구를 사용하여 이미지 취약성 검사.
  • 이미지 풀 정책: 적절한 imagePullPolicy 설정.
  • 비공개 레지스트리 사용: Secret을 사용하여 비공개 레지스트리에 접근.
  • 최소 권한 원칙: PodSecurityPolicy를 사용하여 최소 권한 설정.
  • 네트워크 보안 및 정책: 네트워크 정책을 사용하여 파드 간 트래픽 제어.




1. What secret type must we choose for docker registry?

2. We have an application running on our cluster. Let us explore it first. What image is the application using?

root@controlplane ~ ➜  k get pods
NAME                  READY   STATUS    RESTARTS   AGE
web-758bd846c-bl27m   1/1     Running   0          22m
web-758bd846c-skq4m   1/1     Running   0          22m

root@controlplane ~ ✖ k describe deploy web
Name:                   web
Namespace:              default
CreationTimestamp:      Sat, 20 Jul 2024 02:58:43 +0000
Labels:                 app=web
Annotations:   1
Selector:               app=web
Replicas:               2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType:           RollingUpdate
MinReadySeconds:        0
RollingUpdateStrategy:  25% max unavailable, 25% max surge
Pod Template:
  Labels:  app=web
    Image:         nginx:alpine

해당 Application은 Replica 2개로 설정되어있고 Image는 nginx:alpine 입니다.


3. We decided to use a modified version of the application from an internal private registry. Update the image of the deployment to use a new image from

The registry is located at Don't worry about the credentials for now. We will configure them in the upcoming steps.

root@controlplane ➜ k edit deploy web
### Image 부분 변경
        - image:
        imagePullPolicy: IfNotPresent
        name: nginx    
 root@controlplane /tmp ➜  k get pods
NAME                   READY   STATUS         RESTARTS   AGE
web-56d568f9f8-9kp88   0/1     ErrImagePull   0          4s
web-56d568f9f8-l5h8z   0/1     ErrImagePull   0          4s

 이미지는 변경이 되었는데 ImagePull에서 에러가발생했습니다. 


4. Are the new PODs created with the new images successfully running?
 이미지는 변경이 되었는데 ImagePull에서 에러가발생했습니다. 

5. Create a secret object with the credentials required to access the registry.

Name: private-reg-cred
Username: dock_user
Password: dock_password

Secret: private-reg-cred
Secret Type: docker-registry
Secret Data


kubectl create secret docker-registry private-reg-cred \ \
  --docker-username=dock_user \
  --docker-password=dock_password \


root@controlplane ~ ➜  kubectl create secret docker-registry private-reg-cred \ \
  --docker-username=dock_user \
  --docker-password=dock_password \
secret/private-reg-cred created

root@controlplane ~ ➜  k get secret
NAME               TYPE                             DATA   AGE
private-reg-cred   1      5s

root@controlplane ~ ➜  k describe secret private-reg-cred 
Name:         private-reg-cred
Namespace:    default
Labels:       <none>
Annotations:  <none>


.dockerconfigjson:  176 bytes


6. Configure the deployment to use credentials from the new secret to pull images from the private registry.

root@controlplane ~ ✖ k edit deploy web
      - image:
        imagePullPolicy: IfNotPresent
        name: nginx
      - name: private-reg-cred


deployment.apps/web edited


7. Check the status of PODs. Wait for them to be running. You have now successfully configured a Deployment to pull images from the private registry.

root@controlplane ~ ➜  k get pods
NAME                  READY   STATUS    RESTARTS   AGE
web-ffd8c976c-2xjmr   1/1     Running   0          101s
web-ffd8c976c-l6njs   1/1     Running   0          102s

오늘은 Container Image를 가져오는 과정에서의 Security를 알아보았습니다. 

다음시간에는 Security Contexts에 관해 알아보겠습니다.



