stackoom
  简体   繁体   中英

Build an encrypted Docker container via Azure DevOps

 原文  2022-03-15 13:06:55       azure/ docker/ azure-devops

Question

I have a pipeline in Azure DevOps that build a container and push it in my Azure Container Registry.

# Docker
# Build and push an image to Azure Container Registry
# https://learn.microsoft.com/azure/devops/pipelines/languages/docker

trigger:
- main

resources:
- repo: self

variables:
  # Container registry service connection established during pipeline creation
  dockerRegistryServiceConnection: 'myguyd'
  imageRepository: 'p2005'
  containerRegistry: 'myacr.azurecr.io'
  dockerfilePath: '$(Build.SourcesDirectory)/api/DOCKERFILE'
  tag: '$(Build.BuildId)'

  # Agent VM image name
  vmImageName: 'ubuntu-latest'

stages:
- stage: Build
  displayName: Build and push stage
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Docker@2
      displayName: Build and push an image to container registry
      inputs:
        command: buildAndPush
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: latest

In the container I also have some raw data file that the application needs. In the security point of view, it is not great to have the raw data in the container.

So, I was thinking if there is a way to encrypt the Docker container. And if so, how to do it in the Azure pipeline.

1 answers

solution1
 0  2022-03-16 21:23:18

I don't know there is a way to encrypt via the Azure pipeline. If you're using AKS by chance, you can take a look at Confidential Computing .

A hardware-based Trusted Execution Environment (TEE) provides strong assurances. A TEE provides hardware and software measurements from trusted computing base (TCB) components. Confidential containers offerings on Azure allow verification of these measurements and validate if the container applications run in a verifiable execution environment.

Confidential containers support custom applications developed with any programming languages. You can also run Docker containers off the shelf.

You can achieve this with Intel SGX and AKS.

To run an existing Docker container, applications on confidential computing nodes require an abstraction layer or Intel Software Guard Extensions (SGX) software to use the special CPU instruction set. Configure SGX to protect your sensitive application code. SGX creates a direct execution to the CPU to remove the guest operating system (OS), host OS, or hypervisor from the trust boundary. This step reduces the overall surface attack areas and vulnerabilities.

Azure Kube.netes Service (AKS) fully supports confidential containers. You can run existing containers confidentially on AKS.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Azure pipeline not applying label to Docker build container Build and push a docker image with build arguments from DevOps to ACR Azure Devops Deploy Docker image to ec2 instance Token authentication (instead of PAT token) to Azure DevOps REST API via Azure DevOps Pipeline How to trigger azure devops build pipeline based on the commit message? How to host a arm64 docker container on azure container apps 0 function loaded error in Azure app service custom docker container Is there a way to access google cloud SQL via proxy inside docker container Azure App Service Fails to Start w/ Azure Container Registry Pull - Docker Container - Can not Find File - Works with Docker Hub How to deploy MarkLogic docker hub image to Azure Container Instance ACI
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM