Andy Clemenko, StackRox - One underutilized, and amazing, thing about the docker image scheme is labels. Labels are a built in way to document all aspects about the image itself. Think about all the information that the tags inside your clothing carry. If you care to look you can find out everything about the garment. All that information can be very valuable. Now think about how we can leverage labels to carry similar information. We can even use the labels to contain Docker Compose or even Kubernetes Yaml. We can even include labels into the CI/CD process making things more secure and smoother. Come find out some fun techniques on how to leverage labels to do some fun and amazing things.

1. Andy Clemenko
Labels, Labels, Labels…
Senior Solutions Engineer,
StackRox
@clemenko
clemenko
andy@stackrox.com

2. https://andyc.info/dc20

4. Why Labels?
• Security
• Simplicity
• Self Documenting
• Audit Trail

5. Label Schema
Key = Value
• Author
• Date
• Description
• Version
• and more…

6. Labels for CI?
• Source - Version Control
• Commit Number
• How to build
• Where it was built
• Build number

7. Labels for Security
• Build Server
• Version Control
• Commit Number
• How to was built
• Build number

8. Sample Labels
"org.opencontainers.image.authors": "clemenko@gmail.com",
"org.opencontainers.image.source": "https://github.com/clemenko/dc20_labels/tree/master/demo_flask",
"org.opencontainers.image.build": "docker build -t clemenko/flask_demo..." ,
"org.opencontainers.image.build_number": 22,
"org.opencontainers.image.build.server": http://jenkins.dockr.life/,
”org.opencontainers.image.commit": "98c997f",
"org.opencontainers.image.created": "05/07/20",
"org.opencontainers.image.description": "The repository contains a simple flask application.",
"org.opencontainers.image.healthz": "/healthz",
"org.opencontainers.image.version": "0.1",
"org.opencontainers.image.title": "clemenko/flask_demo",
"org.zdocker.compose": ... ,
"org.zdocker.k8s": ...

9. Create Labels
• Dockerfile
• Build Argument
• docker build - -label key=value
LABEL org.opencontainers.image.authors=$BUILD_SIGNATURE
org.opencontainers.image.source="https://github.com/cleme
org.opencontainers.image.created=$BUILD_DATE
org.opencontainers.image.build_number=$BUILD_NUMBER
org.opencontainers.image.commit=$GIT_COMMIT
org.opencontainers.image.build.server=$JENKINS_URL
org.opencontainers.image.title="clemenko/flask_demo"
org.opencontainers.image.description="The repository cont
flask --> redis."
org.opencontainers.image.version=$BUILD_VERSION
org.opencontainers.image.healthz="/healthz"

10. View Labels
• docker pull; docker inspect
• skopeo
$ skopeo inspect docker://docker.io/clemenko/flask_demo:prod | jq -r '
{
"org.opencontainers.image.authors": "clemenko@gmail.com",
"org.opencontainers.image.build.server": "http://jenkins.dockr.life/
"org.opencontainers.image.build_number": "2",
"org.opencontainers.image.commit": "cb03b31",
"org.opencontainers.image.created": "05/14/20",
"org.opencontainers.image.healthz": "/healthz",
"org.opencontainers.image.source": "https://github.com/clemenko/dc20
demo_flask",
"org.opencontainers.image.title": "clemenko/flask_demo",
"org.opencontainers.image.version": “0.1”…

11. Use Labels - k8s
$ skopeo inspect docker://docker.io/clemenko/flask_demo:prod | jq -r
'.Labels."org.zdocker.k8s"'| base64 -D | kubectl apply -f -
namespace/flask created
deployment.apps/flask created
deployment.apps/mongo created
deployment.apps/redis created
service/flask created
service/redis created
service/mongo created
ingress.networking.k8s.io/flask created
ingressroute.traefik.containo.us/flask-ingressroute created

12. DEMO

13. Demo Stack
● DigitalOcean - Ubuntu 19.10 VMS
● k3s
● Traefik - Ingress Controller
● Jenkins - CI
● StackRox - Image Scanning and policy

14. https://andyc.info/dc20
thanks!
andy@stackrox.com