Streamline Open-Source Security Compliance on Kubernetes with Tanzu Application Catalog

September 29, 2020 Brad Bock

The free availability of hundreds of thousands of open-source applications and components available as containers in public registries like Docker Hub presents both opportunities and challenges for enterprises looking to make the most of their shiny new Kubernetes clusters. 

Open-source software achieves a wide variety of functionality within modern applications, removing the need for developers to create their own services, such as logging and monitoring, caching, databases, message queues, etc. But it is difficult to know whether containerized software from public registries is high quality: if it was packaged using best practices for security, or what versions and patch levels of dependencies are included.

VMware Tanzu Application Catalog delivers the benefits of open-source software pre-packaged for Kubernetes, without the added risk associated with public container registries. It enables customers to curate a library of the most commonly used open-source software from Bitnami, which VMware acquired in 2019. Open-source software available through Tanzu Application Catalog is built by Bitnami’s automated packaging pipeline to be compliant with IT security standards and policy requirements that enable it to be used in production environments. 

Let’s take a look at three ways Tanzu Application Catalog helps customers achieve security and policy compliance without compromising the agility and speed gains from modern DevOps practices:

  • Customized/hardened base operating system images

  • Continuous software updates with comprehensive metadata

  • Vulnerability and antivirus scanning with auditable results

Build your catalog on your own hardened base operating system … or use one of ours

Many organizations require that software running in their environments be built on a standard “golden” operating system container image that is maintained by a security or IT operations team. This base OS container is customized with organization-specific policies and configurations. 

This MySQL image was built on a CentOS 7 base OS maintained by VMware.

Additionally, there are myriad benchmarks for container security that teams can follow to reduce the attack surface of applications. However, none of these benchmarks are typically applied to pre-built images from public container registries. This means that applications must be “rebased” onto the organization’s hardened OS container, and continuous integration (CI) infrastructure must be deployed and configured to maintain it over time. The result is that teams spend an inordinate amount of time packaging and customizing generic open-source components to meet their company policies—time that would be better spent on building and shipping applications. 

Tanzu Application Catalog builds your catalog of containers on top of your hardened base OS container for you, and automatically updates the containers whenever the OS is updated.

Put Bitnami’s automated packaging pipeline to work for you

We learned early on that the Bitnami system’s flexibility with packaging software for multiple Linux distributions would be of value to customers. One of our first beta testers and earliest customers was struggling to get the Harbor registry working on their hardened CentOS 7 base container, to which they had adapted security benchmarks originally designed for virtual machines. The thought of maintaining all of Harbor’s multiple containers, which were originally developed on PhotonOS, over the long term as updates to both the application and underlying dependencies evolved, was discouraging. 

Enter Tanzu Application Catalog: the customer set up a DMZ with their base operating system container in storage where the Tanzu Application Catalog automated pipeline could securely access it and periodically check for updates. Harbor was then packaged on this base container, and it has been maintained for the customer (along with a catalog of over 40 runtimes, databases, and other components) ever since. 

In the span of a couple of days, Tanzu Application Catalog solved a problem for this customer that, by their own estimate, would have taken multiple sysadmins and developers weeks of effort. Tanzu Application Catalog’s continuous stream of application and dependency updates made their security posture stronger than ever, even as it reduced costs.  

No custom base image? No problem!

What if you don't have your own base operating system image, but recognize the need to standardize on one? Not to worry. VMware maintains a variety of container images hardened using best practices and continuously monitored for security patches from the upstream distro. This removes the burden on teams to become experts in Linux packaging, allowing developers and operators to focus on more valuable work. 

This feature has been particularly valuable to our federal government customers, who require that their base OS containers be Federal Information Processing Standards (FIPS) certified. With Tanzu Application Catalog, these customers and others, such as government contractors, quickly gain access to an entire library of open-source software, maintained up-to-date on a FIPS-compliant operating system, so that developers can self-serve containers and Helm charts without violating security policy.

A continuous stream of software updates, with total transparency and auditability

One of the most important container security practices is to keep software up-to-date. This includes the latest security patches to applications or runtimes, dependencies, and operating system components. 

Keeping all those things maintained for open-source software often requires setting up costly CI infrastructure that does nothing to enhance the capabilities of whatever software is being maintained. To reduce these costs, there is constant pressure to utilize containers packaged by external parties. However, an organization is hard pressed to find a third party they can truly trust not to make mistakes in packaging their containers.

Tanzu Application Catalog takes a unique approach to solving this problem: the Bitnami automated pipeline gets the software in every container directly from the upstream source and updates it for you over time. Each container and Helm chart comes with metadata that provides a complete accounting of every binary, library, and system package contained within: what version and patch level, where it was downloaded from, what open-source license it is subject to; all signed and verifiable through the Tanzu Application Catalog UI or through our newly released CLI (in beta). 

Retrieve information about your MySQL container programmatically through the CLI.

This is a game changer for organizations that require a high degree of trust in their software. Rather than asking customers to take it on faith that their containers were built with best security practices, we show the proof. 

Tanzu Application Catalog metadata gives customers the same level of detail they would have if they had built and maintained the containers themselves, with none of the hassle and risk of human error inherent in constructing and operating CI infrastructure for open-source software.

Continuous vulnerability and antivirus scanning 

In addition to keeping software up to date and patched, many organizations have policies requiring that software brought into their environments be scanned for vulnerabilities and viruses. Tanzu Application Catalog conducts this scanning automatically on every container, every time it is updated. 

This proactive approach to scanning makes complying with IT security policy easier, since all of the software delivered to your private registry by Tanzu Application Catalog has been scanned before it ever reaches your environment. Every single update of every container in your catalog undergoes CVE and antivirus scanning. 

Got a security audit coming up? Showing proof of compliance is easy with Tanzu Application Catalog, because the results of all those security and antivirus scans are available right through the UI and CLI. You can quickly find and download individual scan results by navigating to the container in question, or for a more extensive audit you can programmatically pull together exactly what information you need for any or all of the containers in your catalog. 

Antivirus and CVE scans are available through the UI or CLI.

Further reading

We have covered in depth how Tanzu Application Catalog delivers security benefits by building your software on hardened operating systems of your choice, keeping all of your containers up to date and scanned, and delivering an exceptionally high level of transparency. But this is by no means an exhaustive description of the ways that Tanzu Application Catalog helps teams reduce the threat surface from open-source software and efficiently maintain security policy compliance. Here are some resources to learn more:

Want to see how Tanzu Application Catalog can help in your specific environment? Contact your friendly VMware sales rep to get access to a demo catalog.

This Month in Spring - September 2020
This Month in Spring - September 2020

How VMware IT Uses a Modern App Platform to Deliver a Superior Developer Experience
How VMware IT Uses a Modern App Platform to Deliver a Superior Developer Experience

How VMware uses the Tanzu portfolio to offer developers a self-service experience with zero wait times, and...


Subscribe to our Newsletter

Thank you!
Error - something went wrong!