How to Secure Images in Our Kubernetes Repositories

We build strong walls to protect our homes. We must do the same for our containers. In Kubernetes, container images are like blueprints. If someone changes them, our entire application could be at risk. Attackers may slip in malicious code. If we don't secure our images, an attacker may steal data, crash our systems, or open doors for future attacks. Images must be trusted. They should come from safe sources. They must be checked and protected. 

In this post, we will review how images are built, shared, and pulled by our pods. Then, we will see how to safely use both public and private image repositories.

How Images Are Built and Shared

Container images are built using a Dockerfile. This file describes what goes inside the container. It pulls software, libraries, and configurations. Once built, we push the image to a container registry. A registry is like a warehouse. Kubernetes pulls images from these registries to create pods.

To use a public image, we don’t need to provide any credentials. Kubernetes fetches the image and runs the pod. Here’s a basic example using a public image:

apiVersion: v1
kind: Pod
metadata:
  name: nginx-public
spec:
  containers:
  - name: nginx
    image: nginx:latest

This pod pulls the latest nginx image from Docker Hub, a public registry.

Using Private Repositories in Kubernetes

Private repositories hide images from the public. They require authentication. We must tell Kubernetes how to log in before pulling an image. To do this, we create a Docker registry secret. This secret stores our username, password, and registry address.

Run this command to create a secret:

kubectl create secret docker-registry regcred \
  --docker-username=your-username \
  --docker-password=your-password \
  --docker-email=your-email@example.com \
  --docker-server=https://index.docker.io/v1/

Then, we use this secret in our pod definition:

apiVersion: v1
kind: Pod
metadata:
  name: private-nginx
spec:
  containers:
  - name: nginx
    image: your-username/nginx-private:latest
  imagePullSecrets:
  - name: regcred

The imagePullSecrets field tells Kubernetes to use the credentials stored in the regcred secret. This allows the pod to pull the image securely from the private repository.