aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Programming

Streamline Open-Source Security Compliance On Kubernetes With Tanzu Application Catalog

  • aster.cloud
  • September 30, 2020
  • 6 minute read

The free availability of hundreds of thousands of open-source applications and components available as containers in public registries like Docker Hub presents both opportunities and challenges for enterprises looking to make the most of their shiny new Kubernetes clusters.

Open-source software achieves a wide variety of functionality within modern applications, removing the need for developers to create their own services, such as logging and monitoring, caching, databases, message queues, etc. But it is difficult to know whether containerized software from public registries is high quality: if it was packaged using best practices for security, or what versions and patch levels of dependencies are included.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

VMware Tanzu Application Catalog delivers the benefits of open-source software pre-packaged for Kubernetes, without the added risk associated with public container registries. It enables customers to curate a library of the most commonly used open-source software from Bitnami, which VMware acquired in 2019. Open-source software available through Tanzu Application Catalog is built by Bitnami’s automated packaging pipeline to be compliant with IT security standards and policy requirements that enable it to be used in production environments.

Let’s take a look at three ways Tanzu Application Catalog helps customers achieve security and policy compliance without compromising the agility and speed gains from modern DevOps practices:

  • Customized/hardened base operating system images

  • Continuous software updates with comprehensive metadata

  • Vulnerability and antivirus scanning with auditable results

 

Build your catalog on your own hardened base operating system … or use one of ours

Many organizations require that software running in their environments be built on a standard “golden” operating system container image that is maintained by a security or IT operations team. This base OS container is customized with organization-specific policies and configurations.

This MySQL image was built on a CentOS 7 base OS maintained by VMware.

Additionally, there are myriad benchmarks for container security that teams can follow to reduce the attack surface of applications. However, none of these benchmarks are typically applied to pre-built images from public container registries. This means that applications must be “rebased” onto the organization’s hardened OS container, and continuous integration (CI) infrastructure must be deployed and configured to maintain it over time. The result is that teams spend an inordinate amount of time packaging and customizing generic open-source components to meet their company policies—time that would be better spent on building and shipping applications.

Tanzu Application Catalog builds your catalog of containers on top of your hardened base OS container for you, and automatically updates the containers whenever the OS is updated.

Read More  Learn How To Get Observability Into Your Applications With New KubeAcademy Course

Put Bitnami’s automated packaging pipeline to work for you

We learned early on that the Bitnami system’s flexibility with packaging software for multiple Linux distributions would be of value to customers. One of our first beta testers and earliest customers was struggling to get the Harbor registry working on their hardened CentOS 7 base container, to which they had adapted security benchmarks originally designed for virtual machines. The thought of maintaining all of Harbor’s multiple containers, which were originally developed on PhotonOS, over the long term as updates to both the application and underlying dependencies evolved, was discouraging.

Enter Tanzu Application Catalog: the customer set up a DMZ with their base operating system container in storage where the Tanzu Application Catalog automated pipeline could securely access it and periodically check for updates. Harbor was then packaged on this base container, and it has been maintained for the customer (along with a catalog of over 40 runtimes, databases, and other components) ever since.

In the span of a couple of days, Tanzu Application Catalog solved a problem for this customer that, by their own estimate, would have taken multiple sysadmins and developers weeks of effort. Tanzu Application Catalog’s continuous stream of application and dependency updates made their security posture stronger than ever, even as it reduced costs.

No custom base image? No problem!

What if you don’t have your own base operating system image, but recognize the need to standardize on one? Not to worry. VMware maintains a variety of container images hardened using best practices and continuously monitored for security patches from the upstream distro. This removes the burden on teams to become experts in Linux packaging, allowing developers and operators to focus on more valuable work.

This feature has been particularly valuable to our federal government customers, who require that their base OS containers be Federal Information Processing Standards (FIPS) certified. With Tanzu Application Catalog, these customers and others, such as government contractors, quickly gain access to an entire library of open-source software, maintained up-to-date on a FIPS-compliant operating system, so that developers can self-serve containers and Helm charts without violating security policy.

Read More  Jetpack Compose: Debugging Recomposition

A continuous stream of software updates, with total transparency and auditability

One of the most important container security practices is to keep software up-to-date. This includes the latest security patches to applications or runtimes, dependencies, and operating system components.

Keeping all those things maintained for open-source software often requires setting up costly CI infrastructure that does nothing to enhance the capabilities of whatever software is being maintained. To reduce these costs, there is constant pressure to utilize containers packaged by external parties. However, an organization is hard pressed to find a third party they can truly trust not to make mistakes in packaging their containers.

Tanzu Application Catalog takes a unique approach to solving this problem: the Bitnami automated pipeline gets the software in every container directly from the upstream source and updates it for you over time. Each container and Helm chart comes with metadata that provides a complete accounting of every binary, library, and system package contained within: what version and patch level, where it was downloaded from, what open-source license it is subject to; all signed and verifiable through the Tanzu Application Catalog UI or through our newly released CLI (in beta).

Retrieve information about your MySQL container programmatically through the CLI.

This is a game changer for organizations that require a high degree of trust in their software. Rather than asking customers to take it on faith that their containers were built with best security practices, we show the proof.

Tanzu Application Catalog metadata gives customers the same level of detail they would have if they had built and maintained the containers themselves, with none of the hassle and risk of human error inherent in constructing and operating CI infrastructure for open-source software.

Continuous vulnerability and antivirus scanning

In addition to keeping software up to date and patched, many organizations have policies requiring that software brought into their environments be scanned for vulnerabilities and viruses. Tanzu Application Catalog conducts this scanning automatically on every container, every time it is updated.

Read More  Top Programming Languages: C Reigns Supreme But Third-Ranked Python Gains On Java

This proactive approach to scanning makes complying with IT security policy easier, since all of the software delivered to your private registry by Tanzu Application Catalog has been scanned before it ever reaches your environment. Every single update of every container in your catalog undergoes CVE and antivirus scanning.

Got a security audit coming up? Showing proof of compliance is easy with Tanzu Application Catalog, because the results of all those security and antivirus scans are available right through the UI and CLI. You can quickly find and download individual scan results by navigating to the container in question, or for a more extensive audit you can programmatically pull together exactly what information you need for any or all of the containers in your catalog.

Antivirus and CVE scans are available through the UI or CLI.

Further reading

We have covered in depth how Tanzu Application Catalog delivers security benefits by building your software on hardened operating systems of your choice, keeping all of your containers up to date and scanned, and delivering an exceptionally high level of transparency. But this is by no means an exhaustive description of the ways that Tanzu Application Catalog helps teams reduce the threat surface from open-source software and efficiently maintain security policy compliance. Here are some resources to learn more:

  • Learn about Bitnami’s best security practices for packaging Helm charts

  • Read about best practices for hardening containers

  • Security best practices for using your Tanzu Application Catalog Helm charts in production environments

  • Check out this series of tutorials on best practices for creating application images on Bitnami/Tanzu App Catalog containers

  • Make sure and check out the Tanzu Application Catalog breakout sessions and demos at VMworld!

Want to see how Tanzu Application Catalog can help in your specific environment? Contact your friendly VMware sales rep to get access to a demo catalog.

By Brad Brock


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Bitnami
  • MySQL
  • Tanzu
  • VMware
  • VMware Tanzu Application Catalog
You May Also Like
View Post
  • Architecture
  • Data
  • Engineering
  • People
  • Programming
  • Software Engineering
  • Technology
  • Work & Jobs

Predictions: Top 25 Careers Likely In High Demand In The Future

  • June 6, 2023
View Post
  • Programming
  • Software Engineering
  • Technology

Build a Python App to Alert You When Asteroids Are Close to Earth

  • May 22, 2023
View Post
  • Programming

Illuminating Interactions: Visual State In Jetpack Compose

  • May 20, 2023
View Post
  • Computing
  • Data
  • Programming
  • Software
  • Software Engineering

The Top 10 Data Interchange Or Data Exchange Format Used Today

  • May 11, 2023
View Post
  • Architecture
  • Programming
  • Public Cloud

From Receipts To Riches: Save Money W/ Google Cloud & Supermarket Bills – Part 1

  • May 8, 2023
View Post
  • Programming
  • Public Cloud

3 New Ways To Authorize Users To Your Private Workloads On Cloud Run

  • May 4, 2023
View Post
  • Programming
  • Public Cloud

Buffer HTTP Requests With Cloud Tasks

  • May 4, 2023
View Post
  • Programming
  • Public Cloud
  • Software
  • Software Engineering

Learn About Google Cloud’s Updated Renderer For The Maps SDK For Android

  • May 4, 2023

Stay Connected!
LATEST
  • 1
    Just make it scale: An Aurora DSQL story
    • May 29, 2025
  • 2
    Reliance on US tech providers is making IT leaders skittish
    • May 28, 2025
  • Examine the 4 types of edge computing, with examples
    • May 28, 2025
  • AI and private cloud: 2 lessons from Dell Tech World 2025
    • May 28, 2025
  • 5
    TD Synnex named as UK distributor for Cohesity
    • May 28, 2025
  • Weigh these 6 enterprise advantages of storage as a service
    • May 28, 2025
  • 7
    Broadcom’s ‘harsh’ VMware contracts are costing customers up to 1,500% more
    • May 28, 2025
  • 8
    Pulsant targets partner diversity with new IaaS solution
    • May 23, 2025
  • 9
    Growing AI workloads are causing hybrid cloud headaches
    • May 23, 2025
  • Gemma 3n 10
    Announcing Gemma 3n preview: powerful, efficient, mobile-first AI
    • May 22, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • 1
    Cloud adoption isn’t all it’s cut out to be as enterprises report growing dissatisfaction
    • May 15, 2025
  • 2
    Hybrid cloud is complicated – Red Hat’s new AI assistant wants to solve that
    • May 20, 2025
  • 3
    Google is getting serious on cloud sovereignty
    • May 22, 2025
  • oracle-ibm 4
    Google Cloud and Philips Collaborate to Drive Consumer Marketing Innovation and Transform Digital Asset Management with AI
    • May 20, 2025
  • notta-ai-header 5
    Notta vs Fireflies: Which AI Transcription Tool Deserves Your Attention in 2025?
    • May 16, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.