Cosign-signed, immutable images for cloud and Kubernetes environments
Cloud-native CI/CD pipelines and build processes often expose Kubernetes to attack vectors via internet-sourced container images. Despite scanning, these container images can still be susceptible to supply chain attacks if not properly verified. Ensuring immutability—coupled with thorough scanning and strict verification—is crucial for any container entering Kubernetes clusters. This is particularly vital for securing observability solutions like Dynatrace® Kubernetes infrastructure observability, application observability, and Application Security.
The Dynatrace Operator is responsible for the secure lifecycle of components necessary for Kubernetes cluster monitoring. Dynatrace Operator ensures secure download and rollout of components via protected connections to the Dynatrace platform. Introducing Cosign-signed immutable images, Dynatrace further empowers you to independently verify images, maintaining observability free from supply chain attacks.
The benefits of independently verifiable container images begin, but do not end, with enhanced security.
- Security: Signing and immutability of container images significantly reduce the risk of security breaches, ensuring that only verified, tamper-proof observability tools are deployed.
- Compliance: Adhering to stringent security standards helps meet regulatory and compliance requirements for cloud-native environments.
- Reliability: Immutable images guarantee consistent performance and behavior, enhancing stability.
Incorporating signed Dynatrace containers into your pipeline
To enhance security in CI/CD processes, Dynatrace customers can integrate verified Dynatrace container images into their deployment pipelines. This process, illustrated below using Amazon’s Elastic Container Registry (ECR), is also applicable to Docker Hub and will be extended to other cloud platforms in the future.
How it works
Begin by browsing Dynatrace images on the Amazon Elastic Container Registry (ECR) Public Container Gallery. Signed and immutable container images are available for the entire Dynatrace observability stack.
- Dynatrace OneAgent®, which offers Application Security, host, network, and infrastructure monitoring
- Dynatrace OneAgent code modules, which offer application observability and security for Go, Java, Node, .Net, and PHP
- Dynatrace Operator
- Dynatrace ActiveGate for Kubernetes monitoring, routing, and signal compression
Drilling down on a container image reveals tags for both signatures as well as versions of the binaries. The version numbers of these binaries correlate 1:1 with the container image’s tags. This correlation ensures that Dynatrace software components are versioned exactly the same way for both containerized and non-containerized workloads.
Using public images
The recommended way of using Dynatrace signed immutable images is to use a private registry, which is typical for most organizations looking to prioritize security in their CI/CD workflows. This approach offers potentially improved performance and reliability, as the registry can be optimized for specific network environments.
This process involves a few steps:
- Query public registry on latest OneAgent, code module, and ActiveGate tag information
- Copy container image to private registry
- Check that the images are valid and secure.
- Reference the container image in the DynaKube.
To get the latest supported version of the Dynatrace OneAgent container image visit Amazon ECR Gallery or alternatively, use skopeo and jq to find and copy the latest image.
skopeo list-tags docker://public.ecr.aws/dynatrace/dynatrace-oneagent jq -r '.Tags | map(select(startswith("sha") | not)) | max'
The retrieved image tag can now be used to copy the container image to your private image registry. To copy all image architectures and Cosign signatures for verification, make sure to use the --all
flag and set use-sigstore-attachments
to true
in Skopeo’s container registry configuration.
skopeo copy --all docker://public.ecr.aws/dynatrace/dynatrace-oneagent:<tag> \ docker://registry.my-company.com/dynatrace-oneagent:<tag>
Finally, verify the container image signature to ensure authenticity and integrity.
cosign verify --insecure-ignore-tlog --key https://ca.dynatrace.com/v1/cosign.pub \ registry.my-company.com/dynatrace-oneagent:<tag>
Once the image has been copied over to your private registry, it can be scanned for vulnerabilities.
Finally, reference the verified private registry images in the DynaKube. The example below shows all three images: OneAgent, CodeModules, and ActiveGate. Note the inclusion of a pull secret, required for protected private registries.
apiVersion: dynatrace.com/v1beta1 kind: DynaKube metadata: name: private-registry namespace: dynatrace spec: apiUrl: https://(your environment)/api tokens: api-tokens customPullSecret: pull-secret oneAgent: cloudNativeFullStack: image: (your-registry)/dynatrace-oneagent:1.279.242.20240108-114943 codeModulesImage: (your-registry)/dynatrace-codemodules:1.279.242.20240108-114943 activeGate: capabilities: - kubernetes-monitoring - routing image: (your-registry)/dynatrace-activegate:1.279.116.20231206-155926
Take cloud-native security to new heights
The latest release of Dynatrace signed immutable container images marks a step forward in securing cloud-native observability stacks. By ensuring the integrity and security of containers at every step, from public registry to Kubernetes deployment, Dynatrace sets a new standard in cloud-native security. This gets to the heart of the Dynatrace mission to provide unparalleled observability and security in an ever-evolving digital landscape.
What’s next
New users can explore these advanced features with a free 15-day trial, experiencing firsthand how Dynatrace is transforming cloud-native security.
For current Dynatrace customers, getting started with our new signed, immutable images is easy—just refer to Dynatrace Documentation.
Looking for answers?
Start a new discussion or ask for help in our Q&A forum.
Go to forum