Using Chainguard Enforce to prepare for the Kubernetes registry deprecation

Adam Dawson, Product Manager and Ville Aikas, Distinguished Engineer
  •  
March 16, 2023

The Kubernetes project is making an important change to the former registry hosted at k8s.gcr.io. On March 20, 2023, pull requests to that registry will be redirected to the new community-owned registry at registry.k8s.io. Then, on April 3, 2023, the old registry will be deprecated and frozen.

If your organization uses Kubernetes images, you may be accessing them from the deprecated registry, and will need to make sure you've updated your pipelines to use the new registry before the freeze date of April 3. You can learn more about the changes here.

 

Chainguard Enforce can help easily find and alert you about any images running in your environment that came from the deprecated registry and can even send your development teams a custom message that they need to update their image location immediately. 

Chainguard Enforce is our secure-by-default developer platform that can help your organization address critical steps in securing your software supply chain. First, Chainguard Enforce provides visibility into what software you are running, where it came from, what dependencies you have so you can start to fix gaps and understand what to trust– is the software or tool you are running signed, is it a vulnerable version or is it built with an SBOM? Once you have a clearer picture of your software supply chain, you can start to enforce policies across your organization that help you maintain a stronger security posture even as new CVEs or end-of-life software are introduced. The admission control policy engine in Chainguard Enforce can validate source and provenance information about your images at deployment time, and continuously, while the container is running in your environment. Chainguard Enforce’s  continuous verification feature also allows you to know what workloads you are running and where, which helps you figure out which workloads will need to be updated under the new Kubernetes registry changes.

For example, if you have a monthly cronjob that has been admitted with an old Kubernetes image, but it's not going to run again until May 1st, the Chainguard Enforce policy for the registry changes will find these workloads and flag so you can fix it now, instead of when it tries to spin up the next job.

How it works

Chainguard Enforce users can simply deploy the following policy to their environment to send a warning for any running or newly-deployed workload coming from the deprecated k8s.gcr.io registry:

-- CODE language-bash -- apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: deprecated-k8s-grc-io-registry-rego annotations: catalog.chainguard.dev/title: Deprecated registry catalog.chainguard.dev/description: Warn of a registry deprecation catalog.chainguard.dev/labels: rego catalog.chainguard.dev/learnMoreLink: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ spec: mode: warn images: - glob: "k8s.gcr.io/**" authorities: - name: k8s-deprecated static: action: pass policy: type: rego data: | package sigstore isCompliant[response] { response := { "result" : true, "error" : "", "warning" : "This repo has been deprecated: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/" } }

# Copyright 2023 Chainguard, Inc.

With this new policy, Chainguard Enforce will continuously monitor all your running workloads and notify you if you are impacted by this change. It will also monitor any new deployment requests to your cluster for images coming from the old registry at k8s.gcr.io. Since the policy is in "warn" mode, it will allow the deployment to proceed, but will generate a warning in the Enforce platform and back to the user that an image has been deployed from the deprecated registry.

This policy will run on all of your clusters across clouds continuously, so if any image violates the policy, it will record a violation immediately and notify you. You can use this information to let your development teams know that they need to update their pipelines before the April 3, 2023 freeze date.

For developers who want to monitor their own individual clusters, the free and open source Sigstore Policy Controller can also implement the policy above to check Kubernetes resources at deployment time for images in the deprecated registry.

This is just one example of how Chainguard Enforce can help you monitor end-of-life software. If you want to try out Chainguard Enforce free for 30 days and discover all of these out-of-date images, sign up for a trial today. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Don’t break the chain – secure your supply chain today!

Product

Using Chainguard Enforce to prepare for the Kubernetes registry deprecation

Adam Dawson, Product Manager and Ville Aikas, Distinguished Engineer
March 16, 2023
copied

The Kubernetes project is making an important change to the former registry hosted at k8s.gcr.io. On March 20, 2023, pull requests to that registry will be redirected to the new community-owned registry at registry.k8s.io. Then, on April 3, 2023, the old registry will be deprecated and frozen.

If your organization uses Kubernetes images, you may be accessing them from the deprecated registry, and will need to make sure you've updated your pipelines to use the new registry before the freeze date of April 3. You can learn more about the changes here.

 

Chainguard Enforce can help easily find and alert you about any images running in your environment that came from the deprecated registry and can even send your development teams a custom message that they need to update their image location immediately. 

Chainguard Enforce is our secure-by-default developer platform that can help your organization address critical steps in securing your software supply chain. First, Chainguard Enforce provides visibility into what software you are running, where it came from, what dependencies you have so you can start to fix gaps and understand what to trust– is the software or tool you are running signed, is it a vulnerable version or is it built with an SBOM? Once you have a clearer picture of your software supply chain, you can start to enforce policies across your organization that help you maintain a stronger security posture even as new CVEs or end-of-life software are introduced. The admission control policy engine in Chainguard Enforce can validate source and provenance information about your images at deployment time, and continuously, while the container is running in your environment. Chainguard Enforce’s  continuous verification feature also allows you to know what workloads you are running and where, which helps you figure out which workloads will need to be updated under the new Kubernetes registry changes.

For example, if you have a monthly cronjob that has been admitted with an old Kubernetes image, but it's not going to run again until May 1st, the Chainguard Enforce policy for the registry changes will find these workloads and flag so you can fix it now, instead of when it tries to spin up the next job.

How it works

Chainguard Enforce users can simply deploy the following policy to their environment to send a warning for any running or newly-deployed workload coming from the deprecated k8s.gcr.io registry:

-- CODE language-bash -- apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: deprecated-k8s-grc-io-registry-rego annotations: catalog.chainguard.dev/title: Deprecated registry catalog.chainguard.dev/description: Warn of a registry deprecation catalog.chainguard.dev/labels: rego catalog.chainguard.dev/learnMoreLink: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/ spec: mode: warn images: - glob: "k8s.gcr.io/**" authorities: - name: k8s-deprecated static: action: pass policy: type: rego data: | package sigstore isCompliant[response] { response := { "result" : true, "error" : "", "warning" : "This repo has been deprecated: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/" } }

# Copyright 2023 Chainguard, Inc.

With this new policy, Chainguard Enforce will continuously monitor all your running workloads and notify you if you are impacted by this change. It will also monitor any new deployment requests to your cluster for images coming from the old registry at k8s.gcr.io. Since the policy is in "warn" mode, it will allow the deployment to proceed, but will generate a warning in the Enforce platform and back to the user that an image has been deployed from the deprecated registry.

This policy will run on all of your clusters across clouds continuously, so if any image violates the policy, it will record a violation immediately and notify you. You can use this information to let your development teams know that they need to update their pipelines before the April 3, 2023 freeze date.

For developers who want to monitor their own individual clusters, the free and open source Sigstore Policy Controller can also implement the policy above to check Kubernetes resources at deployment time for images in the deprecated registry.

This is just one example of how Chainguard Enforce can help you monitor end-of-life software. If you want to try out Chainguard Enforce free for 30 days and discover all of these out-of-date images, sign up for a trial today. 

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.