Building images for your apps
A Docker image is the basis for every container that you create with Red Hat® OpenShift® on IBM Cloud®.
An image is created from a Dockerfile, which is a file that contains instructions to build the image. A Dockerfile might reference build artifacts in its instructions that are stored separately, such as an app, the app's configuration, and its dependencies.
Building images
You can build your images in several ways, including the following IBM Cloud services.
- IBM Cloud Code Engine
- Code Engine supports building images from a Dockerfile and Cloud Native Buildpacks and automatically pushing the images to IBM Cloud® Container Registry. For more information, see Planning your build.
- Tekton pipelines
- The Continuous Delivery service includes several Tekton tasks that you can reference within your pipelines to build images. For more information, see Tekton pipelines.
Deploying containers from an existing image stream in the internal registry
You can deploy an app from an existing image stream that your cluster administrator set up in the internal registry of your Red Hat OpenShift cluster. For example, your cluster administrator might have set up the image stream to import an image from an external private registry, such as IBM Cloud Container Registry.
Using an image stream with the CLI
-
List the available image streams in a project. If you know the project, name, and tag of the image stream, you can use local image streams in other projects without setting up image pull stream credentials.
oc get is -n <project>
-
Create your app from the image stream.
oc new-app --image-stream="<project>/<imagestream>:<tag>"
Using an image stream from the Red Hat OpenShift web console
- From the Red Hat OpenShift web console, switch to the Developer perspective and click +Add.
- In the Add pane menu bar, select a Project that is not
default
to create your app in, and click Container Image. - In the Image section, select Image name from internal registry.
- Select
default
Project,<image>
ImageStreams, and<tag>
Tag of the image stream that you previously created. - Review the rest of the application details, and click Create.
Deploying containers from an IBM Cloud Container Registry image to the default
Red Hat OpenShift project
You can deploy containers to your cluster from an IBM-provided public image or a private image that is stored in your IBM Cloud Container Registry namespace. For more information about how your cluster accesses registry images, see Understanding how your cluster is authorized to pull images from IBM Cloud Container Registry.
Before you begin:
-
Set up a namespace in IBM Cloud Container Registry and push images to this namespace.
-
Create a deployment configuration file that is named
<deployment>.yaml
. -
Define the deployment and the image to use from your project in IBM Cloud Container Registry.
apiVersion: apps/v1 kind: Deployment metadata: name: <deployment> spec: replicas: <number_of_replicas> selector: matchLabels: app: <app_name> template: metadata: labels: app: <app_name> spec: containers: - name: <app_name> image: <region>.icr.io/<project>/<image>:<tag>
<deployment>
- Give your deployment a name.
<number_of_replicas>
- Enter the number of replica pods that the deployment creates.
app: <app_name>
- Use the name of your app as a label for the container.
name: <app_name>
- Give your container a name, such as the name of your
app
label. image: <region>.icr.io/project>/image>:tag>
- Replace the image URL variables with the information for your image:
region>
: The regional IBM Cloud Container Registry API endpoint for the registry domain. To list the domain for the region that you are logged in to, runibmcloud cr api
.namespace>
: The registry namespace. To get your namespace information, runibmcloud cr namespace-list
.image>:tag>
: The image and tag that you want to use for your container. To list the images that are available in your registry namespace, runibmcloud cr images
.
-
Create the deployment in your cluster.
oc apply -f <deployment>.yaml
Deploying containers from an encrypted image
Deploy containers from an encrypted image to your cluster by using the Image Key Synchronizer cluster add-on.
In clusters that run Red Hat OpenShift 4.5 or later, the CRI-O container runtime supports using encrypted container images. Encrypted container images are Open Container Initiative (OCI) images that contain encrypted layer contents. Instead of securing an image for individual developers, such as a developer using image pull secrets to pull images from a registry, you can enable image encryption for a specific cluster. In this way, you can ensure that encrypted images are run only in those specific clusters that have the image decryption key.
To run an app by using an encrypted image, you must share the key for decrypting the image with the container runtime on the worker nodes in the cluster. When you enable the Image Key Synchronizer add-on in your cluster, the synchronizer daemon
set is deployed in the image-key-synchronizer
project. You can then create Kubernetes secrets that contain the image decryption keys in that project. The add-on adds the keys to a specific directory on the worker nodes where the
container runtime can access and use the keys to decrypt container images. Note that the Image Key Synchronizer add-on also supports private keys that are first wrapped by a root key that is stored in an IBM® Key Protect instance.
Before you begin
-
Download and install the CLI clients for the following open source tools:
- OpenSSL, to generate an RSA key pair.
- Docker Engine CLI, to locally pull images from an image registry.
- Skopeo, to encrypt OCI container images.
-
Optional: When you create a public and private key pair for the image encryption, you can provide the private key directly in a secret, or first wrap the private key by using a Key Protect root key or a key management service (KMS). To prepare to wrap the private key:
-
Get the following values for your Key Protect instance:
-
Create a Kubernetes secret named
keyprotect-config
that contains the values that you retrieved. The Image Key Synchronizer add-on uses the environment variables in this secret to authenticate with your Key Protect instance.apiVersion: v1 kind: Secret metadata: name: keyprotect-config namespace: image-key-synchronizer type: Opaque stringData: config.json: | { "keyprotect-url":"<service_endpoint>", "instance-id": "<service_instance_ID>", "apikey": "<service_instance_ID_API_key>" }
To deploy containers that use encrypted images:
-
Enable the Image Key Synchronizer add-on.
ibmcloud oc cluster addon enable image-key-synchronizer -c <cluster_name_or_ID>
-
Verify that the
addon-image-key-synchronizer
daemon set was successfully created in theimage-key-synchronizer
project in your cluster.oc get ds addon-image-key-synchronizer -n image-key-synchronizer
-
Use
openssl
to generate a private and public RSA key pair.openssl genrsa -out myprivatekey.pem openssl rsa -in myprivatekey.pem -pubout -out mypubkey.pem
-
Provide the private key directly in a secret, or first wrap the private key by using a root key from a key management service (KMS), such as Key Protect. After you create the secret in the
image-key-synchronizer
project, the Image Key Synchronizer add-on automatically copies the private key to the/etc/crio/keys/synced
directory on your worker nodes.- To provide the private key directly: Save the private key as a Kubernetes secret in the
image-key-synchronizer
project.oc create -n image-key-synchronizer secret generic --type=key --from-file=myprivatekey.pem <secret_name>
- To wrap the private key by using a Key Protect root key:
-
Encode your private key in base64, and copy the output.
cat myprivatekey.pem | base64
-
Use the Key Protect CLI plug-in to wrap the base64-encoded private key with your root key. In the output, copy the ciphertext of the wrapped private key.
ibmcloud kp key wrap <root_key_ID> -p <base64_encoded_private_key>
-
Save the wrapped private key as a Kubernetes secret in the
image-key-synchronizer
project.apiVersion: v1 kind: Secret type: kp-key metadata: name: <secret_name> namespace: image-key-synchronizer stringData: rootkeyid: "<root_key_ID>" ciphertext: "<wrapped_private_key_cipertext>"
-
Create the secret.
oc apply -n image-key-synchronizer -f <secret_name>.yaml
-
- To provide the private key directly: Save the private key as a Kubernetes secret in the
-
Use
docker
to locally pull an OCI image. Replace<source_image>
with the repository of the image and<tag>
with the tag of the image that you want to use, such aslatest
.docker pull <source_image>:<tag>
-
Use
skopeo
to encrypt the local image. This command copies the OCI image that you previously pulled, uses your public key to encrypt the image, and saves the encrypted image to a different local file. Consider naming the encrypted image<source_image>_encrypted
for easy identification.skopeo copy --encryption-key jwe:./mypubkey.pem <source_image>:<tag> <source_image>_encrypted:<tag>
-
Optional: To locally verify that the image is encrypted, you can try to decrypt the image with an incorrect key.
-
Generate a new private key.
openssl genrsa --out wrongkey.pem 1024
-
Attempt to use this new key to decrypt the image. The decryption command fails because the incorrect private key was specified.
skopeo copy --decryption-key ./wrongkey.pem <source_image>_encrypted:<tag> <source_image>_decrypted:<tag>
-
-
Optional: Push the encrypted image to IBM Cloud Container Registry, which supports encrypted OCI images.
-
Specify the encrypted image in your app deployment. For example, if you pushed the encrypted image to IBM Cloud Container Registry, you can follow the example in Deploying containers from an IBM Cloud Container Registry image to the
default
Red Hat OpenShift project. When you create the deployment in your cluster, the container runtime uses the private decryption key in the/etc/crio/keys/synced
directory to decrypt the image before running it. -
For any subsequent images that you want to encrypt, you can either use the same public key to encrypt the images with Skopeo, or repeat these steps to use a different public and private key pair.
If you later decide to disable the add-on, the addon-image-key-synchronizer
daemon set is removed, but the image-key-synchronizer
project and any secrets that you created in that project are not removed, and the container
runtime can still use the secrets to run encrypted images. If you want to remove the keys from your worker nodes as well, you must delete the corresponding secrets from the image-key-synchronizer
project before you disable the
add-on.
For the list of changes for each Image Key Synchronizer add-on version, see the IBM Cloud Image Key Synchronizer add-on change log.
Referring to the image pull secret in your pod deployment
If the cluster administrator did not store the image pull secret in the Kubernetes service account, all deployments that don't specify a service account can't use the image pull secret to deploy containers. Instead, you can define an image pull secret in your pod deployment. When you refer to the image pull secret in a pod deployment, the image pull secret is valid for this pod only and can't be shared across pods in the Red Hat OpenShift project.
Before you begin
- Create an image pull secret to access images in other registries or Red Hat OpenShift projects other than
default
. - Access your Red Hat OpenShift cluster.
To refer to the image pull secret in your pod deployment,
-
Create a pod configuration file that is named
mypod.yaml
. -
Define the pod and the image pull secret to access images in IBM Cloud Container Registry.
To access a private image,
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: <container_name> image: <region>.icr.io/<namespace_name>/<image_name>:<tag> imagePullSecrets: - name: <secret_name>
To access an IBM Cloud public image,
apiVersion: v1 kind: Pod metadata: name: mypod spec: containers: - name: <container_name> image: icr.io/<image_name>:<tag> imagePullSecrets: - name: <secret_name>
container_name>
- The name of the container to deploy to your cluster.
namespace_name>
- The registry namespace where the image is stored. To list available namespaces, run
ibmcloud cr namespace-list
.image_name>
- The name of the image to use. To list available images in an IBM Cloud account, run
ibmcloud cr image-list
.tag>
- The version of the image that you want to use. If no tag is specified, the image that is tagged latest is used by default.
<secret_name>
- The name of the image pull secret that you created earlier.
-
Save your changes.
-
Create the deployment in your cluster.
oc apply -f mypod.yaml
Pushing images to IBM Cloud Container Registry
After the cluster administrator sets up an image registry with IBM Cloud Container Registry, you can securely store and share Docker images with other users by adding images to your namespace.
For example, you might pull an image from any private or public registry source, and then tag it for later use in IBM Cloud Container Registry. Or, you might push a Docker image that you work with to your namespace so that other users can access the image. To get started, see Adding images to your namespace.
Managing security of images in IBM Cloud Container Registry with Vulnerability Advisor
Vulnerability Advisor checks the security status of container images that are provided by IBM, third parties, or added to your organization's IBM Cloud Container Registry namespace.
When you add an image to a namespace, the image is automatically scanned by Vulnerability Advisor to detect security issues and potential vulnerabilities. If security issues are found, instructions are provided to help fix the reported vulnerability. To get started, see Managing image security with Vulnerability Advisor.
Setting up trusted content for container images
You can build containers from trusted images that are signed and stored in IBM Cloud Container Registry, and prevent deployments from unsigned or vulnerable images.
- Sign images for trusted content. After you set up trust for your images, you can manage trusted content and signers that can push images to your registry.
- To enforce a policy so that only signed images can be used to build containers in your cluster, install the open source Portieris project.
- Cluster users can deploy apps that are built from trusted images.
Enabling image security enforcement in your cluster
When you enable image security enforcement in your cluster, you install the open-source Portieris Kubernetes project. Then, you can create image policies to prevent pods that don't meet the policies, such as unsigned images, from running in your cluster.
For more information, see the Portieris documentation.
Mutated images: By default, Portieris uses the MutatingAdmissionWebhook
admission controller to mutate your image to refer to the image by a digest instead of a tag. However, you might have some deployment technology
that rejects a mutated image. If so, you can use the image mutation option and policy to change the default behavior.
Enabling or disabling image security enforcement
You can enable or disable image security enforcement for your cluster from the CLI or console. For earlier versions, see the Portieris documentation.
Enabling or disabling image security enforcement with the CLI
See the following commands.
Enabling or disabling image security enforcement from the console
- From the Red Hat OpenShift clusters console, select your cluster.
- From the Overview tab, in the Summary pane, find the Image security enforcement field and click Enable or Disable.
Default image policies
When you enable image security enforcement, Red Hat OpenShift on IBM Cloud automatically creates certain image policies in your cluster. When you disable the feature, the underlying ClusterImagePolicy
CRD is removed, which removes
all the default image policies and any custom images policies that you created.
- Image policies with the name
ibm-signed-image-enforcement
restrict the images that are run in the project to Red Hat OpenShift on IBM Cloud images only. Do not modify these image policies. Any changes that you make are overwritten within a few minutes. - Other image policies, such as
default
ordefault-allow-all
, permit images that are not restricted by another image policy. You can modify these image policies and your changes are preserved, but don't rename the image policy. If you rename the policy, more policies with the default name and settings are created.
To review the image policies in your cluster,
Before you begin
Access your Red Hat OpenShift cluster.
-
List the image policies that apply globally to the cluster. For an example configuration, see the Portieris policy documentation.
oc get ClusterImagePolicy
-
List the image policies that apply to particular namespaces within the cluster. For an example configuration, see the Portieris policy documentation.
oc get ImagePolicy --all-namespaces