Skip to main content

Use Thales Container Base Images

Introduction

Statistics from https://vulnerablecontainers.org show that more than 60% of the top 1000 downloaded images on hub.docker.com are vulnerable. K8SaaS team recommend to use Thales Approved Container Base Images for running your application.

The purpose of this documentation is to point you to the right gitlab repositories & artefacts + show you step by step what to do with a quick example.

Tutorial

In this tutorial, you're going to:

  • Discover the Container Base Images Catalog approved by Thales
  • Deploy a simple helloworld application based on a base image

img

Note:

  • only the application developed by Thales engineers used the base image.
  • the pipeline CI uses public images (risk less important: temporary actions)
  • Base images are stored in artefactory/Jfrog
  • Project image (based on base image) is stored on gitlab registry (because project focused)

Container Base Images Catalog approved by Thales

Please, look at this gitlab repository

Deploy a simple helloworld application based on a base image

Prerequisites

  • You should have access to a k8saas cluster with the developer-role rights (minimum)

First create a git project

img

img

Then, clone it on your laptop:

# in my case:
$ git clone https://gitlab.thalesdigital.io/loic.jardin.e/usethalescontainerbaseimage.git
# Update the path with your repository

Create a Dockerfile

touch Dockerlile

Then, fill the Dockerfile using:

FROM artifactory.thalesdigital.io/docker-internal/base-images/amd64/alpine:latest

# Installation of packages shall be done as root
USER root
RUN \
apk add --update wget && \
rm -rf /var/cache/apk/*


# Back to bob as default
USER bob
CMD ["echo", "Welcome to the k8saas membership team!"]

create a .gitlab-ci.yml file

touch .gitlab-ci.yml

fill it with

stages:
- build
- deploy_application

variables:
KUBECONFIG: ${CI_PROJECT_DIR}/kube_config
DOCKER_IMAGE_TAG: ${CI_PIPELINE_ID}-${CI_COMMIT_SHA}

build:image:
stage: build
image:
name: gcr.io/kaniko-project/executor:debug
entrypoint: [""]
retry: 2
script:
- mkdir -p /kaniko/.docker
- echo $DOCKER_AUTH_CONFIG > /kaniko/.docker/config.json
- /kaniko/executor --context $CI_PROJECT_DIR --dockerfile $CI_PROJECT_DIR/Dockerfile --destination $CI_REGISTRY_IMAGE:$DOCKER_IMAGE_TAG

deploy:helloworld:
stage: deploy_application
dependencies:
- build:image
image: bitnami/kubectl:latest
before_script:
- echo ${KUBE_CONFIG_K8SAAS} | base64 -d > ${KUBECONFIG}
- export KUBECONFIG=${KUBECONFIG}
- sed -i "s%TOBEREPLACE%$CI_REGISTRY_IMAGE:$DOCKER_IMAGE_TAG%g" kubernetes_deployment.yaml
script:
- kubectl apply -f kubernetes_deployment.yaml -n $NAMESPACE_K8SAAS

allow kubernetes to download docker image

In your gitlab project:

  • Click on "Settings", then "Repository", then "Deploy tokens"

Fill the fields with the following info:

  • Name: usethalescontainerbaseimage-pulltoken
  • Expires at: precise a date
  • tick "read_registry"
  • Click on "Create deploy token"

img.png

Now copy the username and the token.

We are going to create a secret into kubernetes that contains the gitlab token

source: Kubernetes official documentation

$ kubectl hns create dev -n customer-namespaces
$ kubectl create secret docker-registry usethalescontainerbaseimage-pulltoken --docker-server=registry.thalesdigital.io --docker-username=TOKEN_USERNAME --docker-password=TOKEN_VALUE -n dev
secret/usethalescontainerbaseimage-pulltoken created

This token will be used by kubernetes to pull your image in the next steps.

create a simple kubernetes deployment

touch kubernetes_deployment.yaml

Fill it with:

apiVersion: apps/v1
kind: Deployment
metadata:
name: usethalescontainerbaseimage
spec:
replicas: 1
selector:
matchLabels:
app: usethalescontainerbaseimage
template:
metadata:
labels:
app: usethalescontainerbaseimage
spec:
containers:
- name: usethalescontainerbaseimage
image: TOBEREPLACE
imagePullSecrets:
- name: usethalescontainerbaseimage-pulltoken

Final steps

info

CI environment variable DOCKER_AUTH_CONFIG is also propagate to kubernetes environment to allow docker image from binary repository.

Create the following variables in Settings / CI/CD / Variables:

  • NAMESPACE_K8SAAS containing the namespace of k8saas.
  • KUBE_CONFIG_K8SAAS containing the generic ci-cd kubeconfig. Doc do get it here. Please encode it in base64.
  • DOCKER_AUTH_CONFIG containing the following data. Please keep the $CI_REGISTRY, $CI_REGISTRY_USER, $CI_REGISTRY_PASSWORD as is.
{
"auths": {
"artifactory.thalesdigital.io": {
"username":"<<YOUR_EMAIL_ADDRESS>>",
"password":"<<YOUR_JFORG_API_TOKEN>>"
},
"$CI_REGISTRY": {
"username": "$CI_REGISTRY_USER",
"password": "$CI_REGISTRY_PASSWORD"
}
}
}

HOW TO get the API TOKEN in Jfrog ?

img

Usually, you should enable shared runners for this project before pushing the project into git:

img

Then git commit and push into master:

$ git add .
$ git commit -m "my first commit"
[master (root-commit) bfacdad] first commit
3 files changed, 63 insertions(+)
create mode 100644 .gitlab-ci.yml
create mode 100644 Dockerfile
create mode 100644 kubernetes_deployment.yaml
$ git push origin master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 16 threads
Compressing objects: 100% (5/5), done.
Writing objects: 100% (5/5), 1.36 KiB | 1.36 MiB/s, done.
Total 5 (delta 0), reused 0 (delta 0)
To https://gitlab.thalesdigital.io/loic.jardin.e/usethalescontainerbaseimage.git
* [new branch] master -> master

Test your deployment

get the events:

% kubectl get events -n YOUR_NAMESPACE

You should see those lines:

0s          Normal    Pulling             pod/usethalescontainerbaseimage-7f6c64b574-54xpf    Pulling image "registry.thalesdigital.io/loic.jardin.e/usethalescontainerbaseimage:945363-998a0c3acc7179ddc2d53732d2a668f8ccc4300b"
0s Normal Pulled pod/usethalescontainerbaseimage-7f6c64b574-54xpf Successfully pulled image "registry.thalesdigital.io/loic.jardin.e/usethalescontainerbaseimage:945363-998a0c3acc7179ddc2d53732d2a668f8ccc4300b" in 5.663751434s

The look at the pods in your namespace:

% kubectl get pods -n YOUR_NAMESPACE
usethalescontainerbaseimage-7f6c64b574-54xpf 1/2 NotReady 2 33s

Note: the pod is not a daemon, so "NotReady Status" is normal :)

Get the logs of the container:

kubectl logs usethalescontainerbaseimage-7f6c64b574-54xpf -n dev -c usethalescontainerbaseimage
Welcome to the k8saas membership team!

TADA ! You just deploy your single container using a thales approved based image.

Next Steps