[英]Build an encrypted Docker container via Azure DevOps
I have a pipeline in Azure DevOps that build a container and push it in my Azure Container Registry.我在 Azure DevOps 中有一个管道,它构建一个容器并将其推送到我的 Azure 容器注册表中。
# Docker
# Build and push an image to Azure Container Registry
# https://learn.microsoft.com/azure/devops/pipelines/languages/docker
trigger:
- main
resources:
- repo: self
variables:
# Container registry service connection established during pipeline creation
dockerRegistryServiceConnection: 'myguyd'
imageRepository: 'p2005'
containerRegistry: 'myacr.azurecr.io'
dockerfilePath: '$(Build.SourcesDirectory)/api/DOCKERFILE'
tag: '$(Build.BuildId)'
# Agent VM image name
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
- task: Docker@2
displayName: Build and push an image to container registry
inputs:
command: buildAndPush
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: latest
In the container I also have some raw data file that the application needs.在容器中,我还有一些应用程序需要的原始数据文件。 In the security point of view, it is not great to have the raw data in the container.
从安全的角度来看,将原始数据放在容器中并不是很好。
So, I was thinking if there is a way to encrypt the Docker container.所以,我在想是否有办法加密 Docker 容器。 And if so, how to do it in the Azure pipeline.
如果是这样,如何在 Azure 管道中进行。
I don't know there is a way to encrypt via the Azure pipeline.我不知道有没有办法通过 Azure 管道进行加密。 If you're using AKS by chance, you can take a look at Confidential Computing .
如果您偶然使用 AKS,可以看看机密计算。
A hardware-based Trusted Execution Environment (TEE) provides strong assurances.
基于硬件的可信执行环境 (TEE) 提供了强有力的保证。 A TEE provides hardware and software measurements from trusted computing base (TCB) components.
TEE 提供来自可信计算基础 (TCB) 组件的硬件和软件测量。 Confidential containers offerings on Azure allow verification of these measurements and validate if the container applications run in a verifiable execution environment.
Azure 上的机密容器产品允许验证这些测量并验证容器应用程序是否在可验证的执行环境中运行。
Confidential containers support custom applications developed with any programming languages.
机密容器支持使用任何编程语言开发的自定义应用程序。 You can also run Docker containers off the shelf.
您还可以运行现成的 Docker 个容器。
You can achieve this with Intel SGX and AKS.您可以使用英特尔 SGX 和 AKS 实现这一目标。
To run an existing Docker container, applications on confidential computing nodes require an abstraction layer or Intel Software Guard Extensions (SGX) software to use the special CPU instruction set.
要运行现有的 Docker 容器,机密计算节点上的应用程序需要抽象层或 Intel Software Guard Extensions (SGX) 软件才能使用特殊的 CPU 指令集。 Configure SGX to protect your sensitive application code.
配置 SGX 以保护您的敏感应用程序代码。 SGX creates a direct execution to the CPU to remove the guest operating system (OS), host OS, or hypervisor from the trust boundary.
SGX 创建对 CPU 的直接执行,以从信任边界中删除来宾操作系统 (OS)、主机操作系统或管理程序。 This step reduces the overall surface attack areas and vulnerabilities.
此步骤减少了整体表面攻击区域和漏洞。
Azure Kube.netes Service (AKS) fully supports confidential containers.
Azure Kube.netes 服务 (AKS) 完全支持机密容器。 You can run existing containers confidentially on AKS.
你可以在 AKS 上秘密运行现有容器。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.