aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
aster.cloud aster.cloud
  • /
  • Platforms
    • Public Cloud
    • On-Premise
    • Hybrid Cloud
    • Data
  • Architecture
    • Design
    • Solutions
    • Enterprise
  • Engineering
    • Automation
    • Software Engineering
    • Project Management
    • DevOps
  • Programming
    • Learning
  • Tools
  • About
  • Programming

Streamline Open-Source Security Compliance On Kubernetes With Tanzu Application Catalog

  • aster.cloud
  • September 30, 2020
  • 6 minute read

The free availability of hundreds of thousands of open-source applications and components available as containers in public registries like Docker Hub presents both opportunities and challenges for enterprises looking to make the most of their shiny new Kubernetes clusters.

Open-source software achieves a wide variety of functionality within modern applications, removing the need for developers to create their own services, such as logging and monitoring, caching, databases, message queues, etc. But it is difficult to know whether containerized software from public registries is high quality: if it was packaged using best practices for security, or what versions and patch levels of dependencies are included.


Partner with aster.cloud
for your next big idea.
Let us know here.



From our partners:

CITI.IO :: Business. Institutions. Society. Global Political Economy.
CYBERPOGO.COM :: For the Arts, Sciences, and Technology.
DADAHACKS.COM :: Parenting For The Rest Of Us.
ZEDISTA.COM :: Entertainment. Sports. Culture. Escape.
TAKUMAKU.COM :: For The Hearth And Home.
ASTER.CLOUD :: From The Cloud And Beyond.
LIWAIWAI.COM :: Intelligence, Inside and Outside.
GLOBALCLOUDPLATFORMS.COM :: For The World's Computing Needs.
FIREGULAMAN.COM :: For The Fire In The Belly Of The Coder.
ASTERCASTER.COM :: Supra Astra. Beyond The Stars.
BARTDAY.COM :: Prosperity For Everyone.

VMware Tanzu Application Catalog delivers the benefits of open-source software pre-packaged for Kubernetes, without the added risk associated with public container registries. It enables customers to curate a library of the most commonly used open-source software from Bitnami, which VMware acquired in 2019. Open-source software available through Tanzu Application Catalog is built by Bitnami’s automated packaging pipeline to be compliant with IT security standards and policy requirements that enable it to be used in production environments.

Let’s take a look at three ways Tanzu Application Catalog helps customers achieve security and policy compliance without compromising the agility and speed gains from modern DevOps practices:

  • Customized/hardened base operating system images

  • Continuous software updates with comprehensive metadata

  • Vulnerability and antivirus scanning with auditable results

 

Build your catalog on your own hardened base operating system … or use one of ours

Many organizations require that software running in their environments be built on a standard “golden” operating system container image that is maintained by a security or IT operations team. This base OS container is customized with organization-specific policies and configurations.

This MySQL image was built on a CentOS 7 base OS maintained by VMware.

Additionally, there are myriad benchmarks for container security that teams can follow to reduce the attack surface of applications. However, none of these benchmarks are typically applied to pre-built images from public container registries. This means that applications must be “rebased” onto the organization’s hardened OS container, and continuous integration (CI) infrastructure must be deployed and configured to maintain it over time. The result is that teams spend an inordinate amount of time packaging and customizing generic open-source components to meet their company policies—time that would be better spent on building and shipping applications.

Tanzu Application Catalog builds your catalog of containers on top of your hardened base OS container for you, and automatically updates the containers whenever the OS is updated.

Read More  VMware-Based Cloud Technology Now Available On Alibaba Cloud

Put Bitnami’s automated packaging pipeline to work for you

We learned early on that the Bitnami system’s flexibility with packaging software for multiple Linux distributions would be of value to customers. One of our first beta testers and earliest customers was struggling to get the Harbor registry working on their hardened CentOS 7 base container, to which they had adapted security benchmarks originally designed for virtual machines. The thought of maintaining all of Harbor’s multiple containers, which were originally developed on PhotonOS, over the long term as updates to both the application and underlying dependencies evolved, was discouraging.

Enter Tanzu Application Catalog: the customer set up a DMZ with their base operating system container in storage where the Tanzu Application Catalog automated pipeline could securely access it and periodically check for updates. Harbor was then packaged on this base container, and it has been maintained for the customer (along with a catalog of over 40 runtimes, databases, and other components) ever since.

In the span of a couple of days, Tanzu Application Catalog solved a problem for this customer that, by their own estimate, would have taken multiple sysadmins and developers weeks of effort. Tanzu Application Catalog’s continuous stream of application and dependency updates made their security posture stronger than ever, even as it reduced costs.

No custom base image? No problem!

What if you don’t have your own base operating system image, but recognize the need to standardize on one? Not to worry. VMware maintains a variety of container images hardened using best practices and continuously monitored for security patches from the upstream distro. This removes the burden on teams to become experts in Linux packaging, allowing developers and operators to focus on more valuable work.

This feature has been particularly valuable to our federal government customers, who require that their base OS containers be Federal Information Processing Standards (FIPS) certified. With Tanzu Application Catalog, these customers and others, such as government contractors, quickly gain access to an entire library of open-source software, maintained up-to-date on a FIPS-compliant operating system, so that developers can self-serve containers and Helm charts without violating security policy.

Read More  VMware Collaborates With German Universities On Automating Life; VMware’s Path To 6G

A continuous stream of software updates, with total transparency and auditability

One of the most important container security practices is to keep software up-to-date. This includes the latest security patches to applications or runtimes, dependencies, and operating system components.

Keeping all those things maintained for open-source software often requires setting up costly CI infrastructure that does nothing to enhance the capabilities of whatever software is being maintained. To reduce these costs, there is constant pressure to utilize containers packaged by external parties. However, an organization is hard pressed to find a third party they can truly trust not to make mistakes in packaging their containers.

Tanzu Application Catalog takes a unique approach to solving this problem: the Bitnami automated pipeline gets the software in every container directly from the upstream source and updates it for you over time. Each container and Helm chart comes with metadata that provides a complete accounting of every binary, library, and system package contained within: what version and patch level, where it was downloaded from, what open-source license it is subject to; all signed and verifiable through the Tanzu Application Catalog UI or through our newly released CLI (in beta).

Retrieve information about your MySQL container programmatically through the CLI.

This is a game changer for organizations that require a high degree of trust in their software. Rather than asking customers to take it on faith that their containers were built with best security practices, we show the proof.

Tanzu Application Catalog metadata gives customers the same level of detail they would have if they had built and maintained the containers themselves, with none of the hassle and risk of human error inherent in constructing and operating CI infrastructure for open-source software.

Continuous vulnerability and antivirus scanning

In addition to keeping software up to date and patched, many organizations have policies requiring that software brought into their environments be scanned for vulnerabilities and viruses. Tanzu Application Catalog conducts this scanning automatically on every container, every time it is updated.

Read More  Global Organizations Choose VMware Digital Workspace Solutions To Enable A Remote Everything, Future-Ready Workforce

This proactive approach to scanning makes complying with IT security policy easier, since all of the software delivered to your private registry by Tanzu Application Catalog has been scanned before it ever reaches your environment. Every single update of every container in your catalog undergoes CVE and antivirus scanning.

Got a security audit coming up? Showing proof of compliance is easy with Tanzu Application Catalog, because the results of all those security and antivirus scans are available right through the UI and CLI. You can quickly find and download individual scan results by navigating to the container in question, or for a more extensive audit you can programmatically pull together exactly what information you need for any or all of the containers in your catalog.

Antivirus and CVE scans are available through the UI or CLI.

Further reading

We have covered in depth how Tanzu Application Catalog delivers security benefits by building your software on hardened operating systems of your choice, keeping all of your containers up to date and scanned, and delivering an exceptionally high level of transparency. But this is by no means an exhaustive description of the ways that Tanzu Application Catalog helps teams reduce the threat surface from open-source software and efficiently maintain security policy compliance. Here are some resources to learn more:

  • Learn about Bitnami’s best security practices for packaging Helm charts

  • Read about best practices for hardening containers

  • Security best practices for using your Tanzu Application Catalog Helm charts in production environments

  • Check out this series of tutorials on best practices for creating application images on Bitnami/Tanzu App Catalog containers

  • Make sure and check out the Tanzu Application Catalog breakout sessions and demos at VMworld!

Want to see how Tanzu Application Catalog can help in your specific environment? Contact your friendly VMware sales rep to get access to a demo catalog.

By Brad Brock


For enquiries, product placements, sponsorships, and collaborations, connect with us at [email protected]. We'd love to hear from you!

Our humans need coffee too! Your support is highly appreciated, thank you!

aster.cloud

Related Topics
  • Bitnami
  • MySQL
  • Tanzu
  • VMware
  • VMware Tanzu Application Catalog
You May Also Like
View Post
  • Architecture
  • Data
  • Engineering
  • People
  • Programming
  • Software Engineering
  • Technology
  • Work & Jobs

Predictions: Top 25 Careers Likely In High Demand In The Future

  • June 6, 2023
View Post
  • Programming
  • Software Engineering
  • Technology

Build a Python App to Alert You When Asteroids Are Close to Earth

  • May 22, 2023
View Post
  • Programming

Illuminating Interactions: Visual State In Jetpack Compose

  • May 20, 2023
View Post
  • Computing
  • Data
  • Programming
  • Software
  • Software Engineering

The Top 10 Data Interchange Or Data Exchange Format Used Today

  • May 11, 2023
View Post
  • Architecture
  • Programming
  • Public Cloud

From Receipts To Riches: Save Money W/ Google Cloud & Supermarket Bills – Part 1

  • May 8, 2023
View Post
  • Programming
  • Public Cloud

3 New Ways To Authorize Users To Your Private Workloads On Cloud Run

  • May 4, 2023
View Post
  • Programming
  • Public Cloud

Buffer HTTP Requests With Cloud Tasks

  • May 4, 2023
View Post
  • Programming
  • Public Cloud
  • Software
  • Software Engineering

Learn About Google Cloud’s Updated Renderer For The Maps SDK For Android

  • May 4, 2023

Stay Connected!
LATEST
  • college-of-cardinals-2025 1
    The Definitive Who’s Who of the 2025 Papal Conclave
    • May 7, 2025
  • conclave-poster-black-smoke 2
    The World Is Revalidating Itself
    • May 6, 2025
  • 3
    Conclave: How A New Pope Is Chosen
    • April 25, 2025
  • Getting things done makes her feel amazing 4
    Nurturing Minds in the Digital Revolution
    • April 25, 2025
  • 5
    AI is automating our jobs – but values need to change if we are to be liberated by it
    • April 17, 2025
  • 6
    Canonical Releases Ubuntu 25.04 Plucky Puffin
    • April 17, 2025
  • 7
    United States Army Enterprise Cloud Management Agency Expands its Oracle Defense Cloud Services
    • April 15, 2025
  • 8
    Tokyo Electron and IBM Renew Collaboration for Advanced Semiconductor Technology
    • April 2, 2025
  • 9
    IBM Accelerates Momentum in the as a Service Space with Growing Portfolio of Tools Simplifying Infrastructure Management
    • March 27, 2025
  • 10
    Tariffs, Trump, and Other Things That Start With T – They’re Not The Problem, It’s How We Use Them
    • March 25, 2025
about
Hello World!

We are aster.cloud. We’re created by programmers for programmers.

Our site aims to provide guides, programming tips, reviews, and interesting materials for tech people and those who want to learn in general.

We would like to hear from you.

If you have any feedback, enquiries, or sponsorship request, kindly reach out to us at:

[email protected]
Most Popular
  • 1
    IBM contributes key open-source projects to Linux Foundation to advance AI community participation
    • March 22, 2025
  • 2
    Co-op mode: New partners driving the future of gaming with AI
    • March 22, 2025
  • 3
    Mitsubishi Motors Canada Launches AI-Powered “Intelligent Companion” to Transform the 2025 Outlander Buying Experience
    • March 10, 2025
  • PiPiPi 4
    The Unexpected Pi-Fect Deals This March 14
    • March 13, 2025
  • Nintendo Switch Deals on Amazon 5
    10 Physical Nintendo Switch Game Deals on MAR10 Day!
    • March 9, 2025
  • /
  • Technology
  • Tools
  • About
  • Contact Us

Input your search keywords and press Enter.