Iron Bank Containers¶
Similar to Harbor, which is Game Warden’s secure image registry, Iron Bank is a registry that stores containerized images that have been scanned by Platform One (P1) and align with Department of Defense (DoD) standards. Iron Bank containers can be deployed to Game Warden. In addition, Iron Bank containers can be moved to Harbor (instructions here).
The content below defines the guidelines you must adhere to when deploying Iron Bank containers.
Iron Bank is transitioning from advertising a container as Approved, Conditionally Approved, or Verified to compliance with the Acceptance Baseline Criteria (ABC). A container can either be compliant or non-compliant with the ABC. There is also an Overall Risk Assessment (ORA) score; 100% is the best, and 0% the worst.
With coordination among P1, the government-designated Game Warden Information Systems Security Manager (ISSM), and the Second Front Systems (2F) Security team, each container will be assessed for approval on the Game Warden platform. This process gives 2F flexibility to assess and accept the risk of application containers within the Game Warden platform. With this flexibility, it is application developers' responsibility to understand the ABC compliance and ORA rating of their Iron Bank containers. The lower the container ORA score, the less likely it is to be approved for use on the Game Warden platform.
Iron Bank Image Usage and Responsibilities¶
You may use containers from Iron Bank as base images and build atop this foundation; however, you must not modify the Iron Bank image. Containers with the following ratings in Iron Bank will have the highest probability of being approved for use on the Game Warden platform:
- Acceptance Baseline Criteria: Compliant
- ORA score: 80% or greater.
While Iron Bank may display an Approved status, this designation is being phased out with a transition to ABC and ORA. These scores are more relevant in the approval decision. Containers that do not meet this threshold might still be approved after being reviewed by the Game Warden Security team. Containers may become non-compliant and/or receive a lower score at any time when Common Vulnerabilities and Exposures (CVEs) exceed the timeline requirements. To help with this uncertainty, please notify 2F of any Iron Bank containers you plan to use that currently show as compliant and have a good ORA score. The Game Warden team will do its best to support their use. Low and Medium CVEs over the threshold may be justified. Critical and High CVEs will be evaluated on a case-by-case basis to determine the security impact.
If an Iron Bank container does not initially satisfy the security requirements, you may be required to select a different image. When an image compliance changes, the application developer must coordinate with the image owner, through P1, to resolve the issue. As an alternative, you can migrate to an acceptable image; preferably, this would be an updated and compliant image. If the Iron Bank base image becomes non-compliant due to End of Life (EoL), for example, the application developer should switch to an updated base image with an appropriate ABC criteria and ORA score. Typically, there is a substantial overlap (such as 6-12 months) between when a new base image is introduced and when the previous version becomes EoL. As a best practice, application developers should check for updated image versions monthly (at minimum) and transition to the new releases. This will improve application security and ensure government compliance.
Iron Bank containers marked EoL (End of Life) are less likely to be approved for Game Warden platform deployments.
The image below displays an example container which has been marked, EoL.
Iron Bank Container Approval in Game Warden¶
2F may approve unmodified container images that are ABC compliant or meet acceptable risk levels. It is the responsibility of the application developer to use the latest approved images; this ensures the image remains compliant and has the latest (or most current) security updates.
Using the Iron Bank UI, search for the image you would like to use; the latest or most current image appears first. All available images should populate, and you can use the tag drop-down menu to switch between different image versions.
The 2F Security team will review container scans and inherit any artifacts found in the selected container. Game Warden customers will notify the 2F Security team when a new base image is used prior to uploading to the 2F Nexus Repository. When an Iron Bank image is approved for use in Game Warden, the approved vulnerability justifications for the base image will be shown as inherited in Game Warden Scan Lab and in the Deployment Passport; therefore, these vulnerabilities will not require further effort from the application developer.
The Game Warden Scan Lab image below displays examples of Inherited from Base Image justifications.
If a specific image is selected and is comprised of multiple layers, it is possible for the 2F Security team to review the selected container to determine if base layer vulnerabilities can be Inherited from Base Image.
You would like to use a Postgresql11 image that is “Non-compliant” and has an ORA score of 26%. The vulnerabilities in the “Postgresql11” layer are the reason why this container is receiving said scores. You can request that the 2F Security team review this container. When the 2F Security team reviews the “Postgresql11” container, the team finds that the base layer of “Postgresql11” is the latest version of UBI9. UBI9 is “Compliant” and has an ORA score of 85%. Since the base layer of the “Postgresql11” container meets acceptable risk levels, the 2F Security team is able to “Inherit” justifications from ONLY the Iron Bank UBI9 base layer. You must remediate (own) the vulnerabilities included in the Postgresql11 layer.