Fixing an unsigned binary security vulnerability in Kubernetes/Docker deployments

The power of Open Source technology is the ability to delve deeply into the guts of a released project to see what's happening behind the scenes. That usually requires not just downloading the completed packages and looking at the code, but replicating the process used to create the packages and seeing if you get the same thing on an independent system.

A few years ago when Kubernetes/Docker arrived on the scene I saw that there was no good way to sign an "official" docker deployment. Because of this security issue I used other virtualization technologies for quite a while (e.g. KVM/Qemu).

Recently I saw that Docker had supposedly fixed the unsigned deployment issue, and so I was excited to try it out for a major distro, Ubuntu.

It turned out that the Docker process was adding unsigned binary images to the deployment and you'd never know it unless you do an out-of-band check of the hashes from both Docker and the original source image. I had opened a ticket with Docker and Ubuntu but since it wasn't yet fixed, I only eluded to it in my earlier post about Docker security, but now that the patch has been applied I can talk a bit more about it.

Basically, the image that's taken by docker for deployment isn't the same as the deployed docker image. Or in other words what you have is

Signed Ubuntu Distro
-> Ubuntu Signed Docker Image
-> Docker Scripts 1
-> Signed Docker Image
-> Docker Deployment Scripts
-> Deployed Docker Image.

Because Docker breaks up the Ubuntu Docker Image and re-deploys for people to download with a new checksum, the final deployed docker image won't match the official released/signed image from the Ubuntu. This could be an issue if you don't know what is going on and it turned out that part of the Docker deployment was adding unsigned binaries in a way that could interfere with the core of the Ubuntu package management process.

So while I commend the Docker dev team for transparency, there needs to be a way for the Docker team to be able to take a distro signed image and deploy it without changing the checksum before I'd trust a Docker image checksum. As it is, there's an additional check needed to see what changes are made between the Ubuntu Docker Distro and what Docker puts out as an "official" Ubuntu download.