Trusted container image sources
In the previous section, we defined the central role of the image registry as a source of truth for valid, usable images. In this section, we want to stress the importance of adopting trusted images that come from trusted sources.
An OCI image is used to package binaries and runtimes in a structured filesystem with the purpose of delivering a specific service. When we pull that image and run it on our systems without any kind of control, we implicitly trust the author to not have tampered with its content by using malicious components. But nowadays, trust is something that cannot be granted so easily.
As we will see in Chapter 11, Securing Containers, there are many attack use cases and malicious behaviors that can be conducted from a container: privilege escalation, data exfiltration, and miners are just a few examples. These behaviors can be amplified when containers that are run inside Kubernetes clusters (many thousands of clusters) can spawn...
