-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
60 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,46 @@ | ||
| [id="cnf-best-practices-image-standards"] | ||
| = Image standards | ||
|
|
||
| It is recommended that container images be built utilizing Red Hat's Universal Base Image as they will have a solid security baseline as well as support from Red Hat. | ||
|
|
||
| Vendors must satisfy 3 requirements related to maintaining proper workload isolation in a containerized environment: | ||
|
|
||
| .VCP CNF requirement | ||
| [IMPORTANT] | ||
| ==== | ||
| Containerized workloads should work with a restricted SCC unless an exception is given | ||
| ==== | ||
|
|
||
| .VCP CNF requirement | ||
| [IMPORTANT] | ||
| ==== | ||
| Containerized workloads should work with Red Hat’s default SELinux context. This is meant to forbid all changes to both primary config files (SCC, SEL) and the many related files referenced by these primary files. All security configuration files must be unchanged from the vendor’s released version. | ||
| See test cases link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#platform-alteration-base-image[platform-alteration-base-image], link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#platform-alteration-is-selinux-enforcing[platform-alteration-is-selinux-enforcing] | ||
| ==== | ||
|
|
||
| .VCP CNF requirement | ||
| [IMPORTANT] | ||
| ==== | ||
| The container image must be secure. | ||
| See test cases link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#platform-alteration-isredhat-release[platform-alteration-isredhat-release], link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#platform-alteration-is-selinux-enforcing[platform-alteration-is-selinux-enforcing] | ||
| ==== | ||
|
|
||
| The Red Hat UBI is able to meet these requirements and enables images built with it to meet these requirements. UBI is supported by a dedicated, full-time team providing releases of base image. UBI has the following features: | ||
|
|
||
| * Scheduled release every 6 weeks to pick up less critical fixes. | ||
|
|
||
| * On-demand release for critical or important CVE within 5 days of CVE public release. | ||
|
|
||
| * Guarantees alignment with host OS packages and versions that run tightly coupled to the container artifacts. Many CVEs and potential attacks result from mismatch of untested versions of utility functions. | ||
|
|
||
| * Ensures globally consistent time zone usage and resulting timestamps for global operators. | ||
|
|
||
| * Enables continuous authorization to operate (ATO). Authorize once, use many times. | ||
|
|
||
| * Meets requirements of the DOD, for example Air Force/DISA STIG. | ||
|
|
||
| * Supports system-wide crypto consistency, for example, must have same crypto implementation as the Red Hat host operating system. | ||
|
|
||
| * Provides authentication of the base layer via digital signature from originating vendor and strong signature authority. |
14 changes: 14 additions & 0 deletions
14
modules/cnf-best-practices-universal-base-image-information.adoc
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,14 @@ | ||
| [id="cnf-best-practices-universal-base-image-information"] | ||
| = Universal Base Image information | ||
|
|
||
| link:https://developers.redhat.com/products/rhel/ubi[UBI] is designed to be a foundation for cloud-native and web applications use cases developed in containers. You can build a containerized application using UBI, push it to your choice of registry server, easily share it with others - and because it’s freely redistributable — even deploy it on non-Red Hat platforms. And since it’s built on Red Hat Enterprise Linux, UBI is a platform that is reliable, secure, and performant. | ||
|
|
||
| Base Images:: A set of three base images (Minimal, Standard, and Multi-service) are provided to provide optimum starting points for a variety of use cases. | ||
|
|
||
| Runtime Languages:: A set of language runtime images (PHP, Perl, Python, Ruby, Node.js) enable developers to start coding out of the gate with the confidence that a Red Hat built container image provides. | ||
|
|
||
| Complementary packages:: A set of associated YUM repositories/channels include RPM packages and updates that allow users to add application dependencies and rebuild UBI container images anytime they want. | ||
| + | ||
| Red Hat UBI images are the preferred images to build VNFs on as they will leverage the fully supported Red Hat ecosystem. In addition, once a VNF is standardized on a Red Hat UBI, the image can become Red Hat certified. | ||
| + | ||
| Red Hat UBI images are free to vendors so there is a low barrier of entry to getting started. |