Lots of organisations maintain a set of internal container base images. This allows for some centralisation of decision making (which base operating system should we use? What language runtimes do we support?) and provides a single place where security hardening and low-level patches can be applied.
But how do you ensure development teams are using the up-to-date base image? And from the development team perspective how can we make using the central base images a better developer experience?
In this talk we will:
- Look at a few patterns for better base image management
- Discuss the pros and cons involved in having central base images for your organisation, in particular around communicating change and determining ownership of issues
- Talk about the role build files like Dockerfile play in helping manage usage of base images
- Show a few demos of tools, including Snyk, Open Policy Agent and GitHub Actions, that can help you securely manage your base images
TakeawaysAll attendees should come away from the session with some practical ideas they can put into practice straight away, whether they already have a central base image programme or not.
For teams responsible for managing a set of base images for an organisation we’ll talk about:
- The problems you might be trying to solve by having your own base images, like being about to triage issues once and reduce operational complexity
- Why development teams might not buy in and what to do about it
For development teams building applications we’ll look at:
- Why having someone else managing base images for you can be a good thing
- Ways of making the security boundaries between teams clearer
And for security teams responsible for assuring the final images and the process around building them we’ll discuss:
- How you can measure this effort across lots of teams and lots of images.
- How to engage development teams in the process
