...
Excerpt |
---|
Docker Base Images are the images that all applications running on the Infrastructure must build |
...
. |
The images can be found on the official ehealth eHealth docker repository: https://registry.admin.ehealth.sundhed.dk/harbor/projects/11/repositories
Java 11
Code Block |
---|
baseimages/openjdk:11-jre-slim |
Or if you wish to use a minimal JRE for the developed application you can use jlink to create this.
And run the resulting on
Code Block |
---|
baseimages/alpine:3.11 |
Java 8 - Depricated
For java 8 the preferred base image is the alpine linux distribution, as it gives a smaller attack surface and has a smaller resource overhead.
Code Block |
---|
baseimages/openjdk:8-jre-alpine |
jBoss Wildfly
If you need to run an application server, instead of a standalone java application you can use jBoss Wildfly.
In this case, please use the newest wildfly image that you can.
Code Block |
---|
baseimages/jboss/wildfly:17 |
Azul
Openjdk are avaible in two different variants:
...
Table of Contents |
---|
Info |
---|
The following list does not show the newest image tag, these can always be found at the link above. |
Azul
OpenJDK is available in two different variants:
Code Block | ||
---|---|---|
| ||
baseimages/azul/zulu-openjdk:alpine-xx |
Used by
Systematic
Distroless java
Distroless Java images are provided in two different versions:
Code Block | ||
---|---|---|
| ||
baseimages/distroless/java:nonroot # The newest one
baseimages/distroless/javaXX:nonroot # Where XX is the major version e.g. 17 |
Used by
Trifork
Nginx
Code Block | ||
---|---|---|
| ||
baseimages/nginxinc/nginx-unprivileged:x.xx-alpine-slim |
Used by
Trifork and Telma
Keycloak
Code Block | ||
---|---|---|
| ||
baseimages/keycloak |
Used by
Trifork
Node
Code Block | ||
---|---|---|
| ||
baseimages/node:XX-alpine |
Used by
Systematic
Cosign
Code Block | ||
---|---|---|
| ||
baseimages/cosign |
Used by
Trifork
Kubectl
Code Block | ||
---|---|---|
| ||
baseimages/kubectl |
Used by
Trifork
Alpine
Code Block | ||
---|---|---|
| ||
baseimages/alpine |
Used by
Systematic
Security
All docker images are subject to regular security scans. The chosen security scanning software is
...
Trivy which comes with Harbor.
...
Trivy subscribes to security feeds from the major OS Providers: Alpine Linux, Debian, CentOS as well
...
and NVD.
Both Operating System packages and application libraries are scanned.
If Trivy misses anything, Snyk is scanning inttest and production.
Mitigation
If a critical security issue is found in the docker image the supplier will be notified
...
and needs to take swift action (within 3 hours) to mitigate the issue.
The result will be a new docker image built by the supplier which doesn't contain the issue
...
and needs to be deployed on the infrastructure using the normal CI/CD pipeline.
If non-critical security issues are found in the docker image a report will be generated for the supplier.
Best practices
Suppliers must follow best practices regarding docker images. This includes:
Not running processes as root inside the container.
This will be enforced by
kubernetes Kubernetes when images are started.
Put "USER 1000" or similar into your
DockerfileDocker file, as Kubernetes doesn't support checking non-numeric usernames.
Use "COPY --chown=1000:1000 to set sufficient permissions to access files inside the container.
Building minimal images, both in regards to actual size and in regards to the number of extra components in the image that can contain security issues
Not building any passwords or API keys
in to into the image