Non-compliant container images are container images that do not meet the security and compliance standards set by the organization. These images may come from untrusted sources or be modified by unauthorized parties during the distribution of images. They may also contain software with licenses that are not allowed by the organization, or vulnerabilities that can be exploited by attackers to gain unauthorized access to the system. Preventing non-compliant container images from running is crucial to ensure the security of the system.
Ratify is an open-source project that was established in 2021. It is a verification engine that empowers users to enforce policies through the verification of container images and attestations, such as vulnerability reports and SBOMs (software bills of materials). Ratify offers a pluggable framework that allows users to bring their own verification plugins. The latest Ratify v1.1.0 release supports verification of Notary Project signatures, vulnerability reports and SBOMs.
Use Ratify with Gatekeeper as the Kubernetes policy controller
One of the primary use cases of Ratify is to use it with Gatekeeper as the Kubernetes policy controller. This helps prevent non-compliant container images from running in your Kubernetes cluster. Ratify acts as an external data provider for Gatekeeper and returns verification data that can be processed by Gatekeeper according to defined policies.
Want to learn more?
The following video delves into the history of Ratify, explains what Ratify is, and includes a practical demonstration of how to utilize Ratify to prevent untrusted container images from running in a Kubernetes cluster.
How to get started?
You can follow the quick start to learn how to prevent untrusted container images from running in your Kubernetes clusters. Ratify documentation offers more details and examples of how to utilize Ratify to enforce policies in various scenarios.