Tremolo Security has always focussed on not just securing your workloads and applications, but also our own development and supply chain. Even before there was talk of SBOMs, we made sure we were constantly scanning and rebuilding containers. Every release of OpenUnison and MyVirtualDirectory included upgrading all dependencies, as well as forcing upgrades to second tier and above dependencies that has known vulnerabilities that had been patched. We rely on our suite of over 1000 individual test cases that are a combination of unit and integration tests designed to allow us to continuously keep our dependencies up to date.
Today, we're making several changes to increase our commitment to supply chain security and transparency:
- Images are now published to GitHub Registry - All of Tremolo Security's published images are built using GitHub actions, which produces a unique identity for each run that can be used to authenticate to remote services or other GitHub services, like GitHub's image registry. This means that there's no static secret that needs to be rotated or can be compromised. You can track an image from build to push! We will continue to publish images to Dockerhub until at least July 31, 2024. All references to images in our charts and documentation will be changed to ghcr.io.
- Images are signed using the SigStore project - For an additional layer of assurance, all images from Tremolo Security will be signed using the identity of the GitHub action that created it.
- Images are pushed with signed SPDX SBOMs - Again, for additional image assurance.
- Helm Charts will include specific container versions - Prior to each release we will update versions in the helm charts to ensure you know which version of OpenUnison you're working with.
In the past, we avoided pushing versioned containers because we didn't want to be in a situation where a known vulnerability was left in the wild from an unpatched container. That said, our customers and users have continued to ask for versioned containers. Each container we publish will have two tags: An application version and a patch version with a commit hash. So for any given container that we publish, there are three potential tags. For instance, as of when this post was written, the main OpenUnison image (ghcr.io/openunison/openunison-k8s) has four total tags:
- latest - The most recent image pushed
- 1.0.37 - The latest application level version of OpenUnison
- 1.0.37-32c850 - Rebuilt image on 8/2/2023 based on updates to Cononical's ubuntu:22.04 image
- 1.0.37-f7531b - Original push of 1.0.37 on 7/27/2023
Tremolo Security will monitor images for the latest application version published. So the 1.0.37 images will continue to be rebuilt until 1.0.38 is published. New images are generally published twice a month, as Canonical releases patches.
Our helm charts are configured to the application level version, so in this case 1.0.37. There are plans to eventually peg charts to individual build versions, but that's a complex problem to solve and we didn't want perfection to be the enemy of better.
For now, we recommend not enforcing image signatures in the openunison namespace, even though our containers are signed. This is because the default behavior is for the policy enforcement webhooks from both ChainGaurd and Kyverno is to re-write the image of Deployments/Jobs/SatefulSets/etc to the hash of the container image, not the tag. This leads to a scenario where even though you are upgrading your helm charts to get a newer image, the image doesn't actually change.
We're very excited about these updates. They bring OpenUnison into a new level of supply chain security and provide more assurance to both our commercial and open source customers. We hope you'll visit OpenUnison's Website to see how we can help lock down your own infrastructure and applications!
