Swapnil Bhartiya: Hi, this is your host Swapnil Bhartiya and welcome to TFiR: Let’s Talk. Today we have two guests with us from Mirantis, Chris Price, director of engineering at Mirantis and Kevin Ng, solution architect at Mirantis. Kevin, Chris, it’s good to have you both on the show.

Kevin Ng: Thanks.

Swapnil Bhartiya: And today we are going to talk about Mirantis Secure Registry. Chris, if I ask you that, you folks recently announced that your Mirantis Secure Registry will now support any Kubernetes distribution. So can you talk about what of the drivers behind this move?

Chris Price: Absolutely. Thank you very much for having me on the show today. And MSR 3.0 was just released in December and we, like you said, added support for any Kubernetes distribution. And the reason we did this was mostly at the behest of our customers. We have a number of customers who use MSR today, and we have customers who use it in conjunction with our Kubernetes distribution, MKE. And we have customers who use it in a standalone fashion. MSR is about five or six years old. It came from the Docker acquisition and previously you needed to use it with MKE. And so we had a number of customers who preferred to use it in a standalone fashion, and we answered their request by delivering MSR 3.0, which runs on any Kubernetes.

We also took this opportunity to modernize the software. MSR is now a 12 factor app. And the first mechanism we chose for deployment is via Helm chart. In the future, we’ll also be supporting an installation on top of swarm using the exact same code base. And finally, we believe that MSR is the best registry out there. And we believe that currently we were a little bit limited in the reach that we had because of the dependency on MKE. And so we wanted to bring the MSR experience to any kubernetes.

Swapnil Bhartiya: What exactly is Mirantis Secure Registry?

Chris Price: So Mirantis Secure Registry is a container image registry. It also has Helm support. We have role-based access control that hooks into your enterprise authentication and authorization framework, whether that’s LDAP, SAML or OIDC. We also have full image scanning and promotion policies. So this allows security personnel to create a sort of staging area for images as they’re built, they run through our scanner, they get promoted into a safe to deploy name space, and then all the images get deployed from there. We also have the possibility to create a secure supply chain, which I think Kevin will speak about a little bit more, but what this allows is to stop a supply chain attack or make it a lot more difficult for an attacker to execute a supply chain attack. And finally, there’s a number of hooks for integrating into your organization’s custom processes. So you can be notified when certain things happen to the registry.

Swapnil Bhartiya: Chris, can you also talk about what are the key benefits and features of MSR?

Chris Price: We have the registry itself, but there’s also the Helm support, Helm images or Helm charts are scanned for security issues, and those can limit their, whether or not they’re deployed the role-based access control with enterprise integration. This allows you to sort of, if you’re an LDAP user maintain all your users and all your rules in LDAP and they can be mapped into MSR, the image scanning capabilities, the promotion pipelines that you can create to ensure that CVEs aren’t released into your production environment, the possibility to use notary to create signed images as part of your secure supply chain. And finally, like I mentioned, the ability to hook into your integrated custom processes by writing a little code that receives a web hook from MSR.

Swapnil Bhartiya: How are Mirantis’ customers leveraging MSR as kind of part of their CI/CD workflow?

Kevin Ng: Yeah, absolutely. So like Chris mentioned, the benefits of MSR is a lot of the built in security features around that. So if you think of the typical pipeline, customers will build their code and their container images, and then MSR serves as a local image repository. So that a… Now the environment is much more secure. You’re not relying on an external repository for all of your container images, but at the same time, you could also control who gets into your container images. So in terms of their pipeline, the images are now store within MSR. And that becomes a single source of truth for everything being deployed into their environments, whether it’s their test environment, their pre-prod integration, or even a production environment.

Swapnil Bhartiya: What are the benefits of a private registry over a public one?

Chris Price: You could use a public registry such as Docker Hub is probably the most popular public registry. The downside to that is it’s not private, obviously that’s the most basic reason why you would want a private registry is to control access to your images and not have them out there in the open domain. The other, another problem with using a public registry is there’s often bandwidth limits and throttling. These registries usually are based on a cloud service and cloud services charge per gigabyte of bandwidth. So you’ll be throttled, if your users are downloading too much from the public registry. You can also run them anywhere, at least in the case of MSR. So this could be run on top of AWS. It could also be run in your on-prem environment and ultimately you’re controlling your own destiny when you use a private registry. When it goes down, you can get it back up and running again. When you’re using somebody else’s public registry, you’re dependent upon them to get it running again for you.

Swapnil Bhartiya: What are the risks involved with not using a secure registry, such as the one provided by Mirantis Secure Registry?

Kevin Ng: There’s a number of different factors, right. So let’s start with the actual container image itself. Now, the convenience that you get when you start using prebuilt containers is that one is not always entirely sure of what goes inside the containers. So one of the features that Chris mentioned for the Mirantis Secure Registry is the scanning functionality, right. So let’s take the recent Log4j vulnerability that was exposed, right. So with something like Mirantis Secure Registry, once your container images are put into the registry, we then go through and look at all the different layers to ensure that nothing like the Log4j vulnerability is actually contained within your image. So that’s the one thing, right.

So first thing is you now know that whatever you’re actually using to build your containers is actually secure, and there’s no vulnerabilities. Now take that and start packaging all the security aspects around that, right? To access the registry, you want to make sure that only those that are authorized to access your images are actually doing so. So you don’t get a third party attack to inject anything unwanted into your environment.

And the third factor of this one is making sure that whatever images you are actually executing within your environments are essentially what they are, right? So they’re authorized and they’re verified. So the signing with notary ensures that whatever image you are actually testing in your lower environments is actually the exact same image that you’re deploying onto your upper environments and into production. And you could set up the run time as well to ensure with content trust that only things that are authorized and signed can be executed with your environments. So this way, once your workload is being deployed into production, you know that, a, there’s no vulnerabilities inside, only those that are authorized to touch the container images are doing so and what you’re deploying is exactly what you think you’re deploying.

Swapnil Bhartiya: How does MSR fit into the whole [IDA 00:08:18] concept of secure software sub supply chain? Because when we do look at container images, there’s so much in there that sometimes folks don’t even know what’s running in their software or services.

Kevin Ng: If you think about the software supply chain, it’s almost like a manufacturing concept, right? So your software is essentially your most valuable assets. That is the product that is being shipped out to your customers. So the software supply chain is, all of the activities starting from the building, or even a step further before that, the planning and the building of the actual software code all the way through to the deployment, to the customers. So where MSR fits in is, think of the code being built. So once that’s being built, you need somewhere to store your products safely and securely.

So MSR is the repository where you actually have all of your build materials that are stored so securely and you know exactly what’s inside it, using the build materials analogy that you used and in this then be deployed into the rest of the chain. So the Mirantis Kubernetes Engine that Chris mentioned earlier is how you would take those products and deploy it into your environments. And then along with the other products that we have to give you the full end to end link, that brings you all the way from the build process, all the way to the deploy to production, and even the monitoring on top of that once it’s in production.

Swapnil Bhartiya: There are other products also in the space, they do offer kind of private registries as well. Do you want to talk about what sets MSR apart from them?

Chris Price: MSR is mainly focused on the security aspects of running a registry. And I don’t think our competitors have the same bent necessarily. A lot of them are focused on hosting a large number of different types of artifacts, or they’re just creating a registry as something to tick a box as part of a bigger solution. But MSR really lives up to its name where the feature set is oriented around creating a secure registry, ensuring that your images don’t have vulnerabilities in them and allowing you to create a secure supply chain and be notified when things change. And for example, we have customers who have set up processes to be notified when new CVEs are found in images that they’ve already shipped to production. So that image might scan clean today, but MSR updates its CVE vulnerability database on a daily basis, and that image might become vulnerable in the future. And we enable our customers and many customers have set up automation to notify them when this happens so that they can take the appropriate action.

Swapnil Bhartiya: It can go beyond security as well when we look at cloud native. Cloud native, I feel is not a thing. It’s a way of doing things, which also means that it’s about processes, it’s about people. So how does MSR kind of help with the building a culture also around either security, so that the teams look at it, they have tools that they can rely on because when it comes to security, there are a lot of mistakes that can be made. And cloud native is already very, very overwhelming. So you have so many knobs either way to turn in Kubernetes. So talk about the role that MSR is playing in helping companies adopt a very positive posture when it comes to security also.

Kevin Ng: But when you think about the whole concept of security, especially when you’re talking about something like a DevOps or a DevSecOps culture, the barrier to security usually is because of the… I don’t want to use the hit word hindrance, but the difficulty of including security in the processes. So I’ve got conversations with my customers saying, “Okay, with all these vulnerabilities out there, how do I know exactly which ones to look for? Or even if I do know what the vulnerabilities are, what do I do with them?” Right. So something like MSR. So with the built in scanner, with this, with the reference to CVEs, you not only get what the issues are, but you also get the remediation behind it as well. So this way, the idea behind this is really removing the barrier of entry of including security into the process. So with that, that actually helps with the culture as well, because now security is no longer a hindrance, but actually it’s their security is meant to be easy. So it’s there in the background, it’s helping you secure it. So you could actually get on with your daily jobs.

Chris Price: Yeah. I think those are some great points, Kevin and I would add that, most organizations have difficulties hiring security personnel. It’s a tough skillset to find. And so there’s usually only a couple of people who are the security experts at an organization and the rest of the people are left to worry about it themselves and only involve security as and when they see fit. So one of the things that MSR lets you do is create that secure supply chain where these security people are at the end of the chain, sort of checking everybody’s work and you can get greater efficiencies from your security people, because they’re implementing the process that you’re using MSR to implement. And like Kevin said, MSR does tell you how to remediate the issues that you encounter, the security issues that you encounter. So this allows the developers to sort of serve themselves, but be checked at the end by your very important and very scared security personnel.

Swapnil Bhartiya: So in December, you folks release 3.0 release, I’m pretty sure that your folks are already working on the next release. So what kind of roadmap you have, which you can share at that point, what are the things that you folks are working on?

Chris Price: Oh, we have a lot of exciting things coming down the pipe, we’re working on some migration tools that allow you to migrate from different registries into MSR. We’re working on some new mirroring rules. We’re working on an operator that will allow us to have a hosted service on top of Mirantis Lens Spaces, which is a SaaS service for your Kubernetes clusters. And the plan there is to put MSR into that SaaS service and so that it can serve externally to people who are coming from the outside, but it can also serve all your Kubernetes clusters that are managed by Lens Spaces.

Swapnil Bhartiya: Chris, Kevin, thank you so much for taking time out today and talk about MSR. And of course, we also talked about some challenges which are there in terms of, no, of course, containers and security. So thanks for sharing those insights as well. And I would love to have you folks back on the show. Thank you.

Chris Price: Thank you.

Kevin Ng: Thanks for having us.