Container governance(容器治理(Container governance))¶
Open Container Initiative containers (commonly referred to as Docker containers) are a popular language-agnostic way to package software applications, allowing developers to combine dependencies from multiple toolchains into a cohesive package. Docker containers are particularly powerful for packaging complex applications, leveraging legacy technologies, or integrating libraries that are not available in Foundry's natively supported languages (Python, Java, and R).
Container workflows raise additional security risks for your organization. Because container images are authored outside Foundry and could introduce and accumulate software vulnerabilities, the administrator is responsible for implementing software supply chain controls and regularly auditing containers running in Foundry.
To mitigate these risks, Foundry's compute infrastructure implements industry-leading controls and strict image requirements that limit the type of container workloads users can run. In particular, container images must run with a non-root numeric user ID, and must not have access to kernel privileges.
Foundry also provides administrative tooling to track which containers are running in production, and regularly scans active containers to identify software vulnerabilities. The Container governance page in Control Panel empowers administrators to audit the state of container workflows in their Foundry installation, and to recall vulnerable containers when necessary.
:::callout{theme="neutral"} Containers running through Foundry's compute infrastructure are subject to similar metadata visibility rules as containers running in Apollo platform. :::
Enable container workflows¶
The Settings tab of the Container governance page in Control Panel allows resource administrators to enable or disable container workflows. By default, all container workflows are disabled. All container workflows require the Rubix ↗ engine as the backing infrastructure; this toggle will be disabled if Rubix is not used.

Vulnerability scanning¶
Foundry periodically scans all actively used user-uploaded Docker containers for vulnerabilities. An overview of vulnerabilities affecting your enrollment is available in the Vulnerabilities tab of the Container governance page in Control Panel. By default, Foundry does not take any actions based on found container vulnerabilities.

Recall vulnerabilities¶
The Vulnerabilities tab of the Container governance page in Control Panel allows resource administrators to recall or un-recall individual vulnerabilities. Any Foundry job that uses a container affected by recalled vulnerabilities will be forcefully stopped. Similarly, vulnerabilities can be un-recalled.

中文翻译¶
容器治理(Container governance)¶
开放容器计划(Open Container Initiative)容器(通常称为Docker容器(Docker containers))是一种流行的语言无关型软件应用打包方式,允许开发者将来自多个工具链的依赖项整合到一个统一的软件包中。Docker容器在打包复杂应用、利用遗留技术或集成Foundry原生支持语言(Python、Java和R)中不可用的库方面尤为强大。
容器工作流(Container workflows)会给您的组织带来额外的安全风险。由于容器镜像是在Foundry之外编写的,可能会引入并累积软件漏洞,因此管理员负责实施软件供应链(software supply chain)控制并定期审计在Foundry中运行的容器。
为了缓解这些风险,Foundry的计算基础设施(compute infrastructure)实施了行业领先的管控措施和严格的镜像要求(image requirements),以限制用户可以运行的容器工作负载类型。特别是,容器镜像必须使用非root数字用户ID运行,并且不得拥有内核权限(kernel privileges)。
Foundry还提供管理工具来跟踪生产环境中运行的容器,并定期扫描活跃容器以识别软件漏洞。控制面板(Control Panel)中的容器治理页面使管理员能够审计其Foundry部署中容器工作流的状态,并在必要时召回存在漏洞的容器。
:::callout{theme="neutral"} 通过Foundry计算基础设施运行的容器与在Apollo平台中运行的容器遵循类似的元数据可见性(metadata visibility)规则。 :::
启用容器工作流¶
控制面板中容器治理页面的设置(Settings) 选项卡允许资源管理员启用或禁用容器工作流。默认情况下,所有容器工作流均处于禁用状态。所有容器工作流都需要Rubix ↗引擎作为底层基础设施;如果未使用Rubix,此开关将被禁用。

漏洞扫描(Vulnerability scanning)¶
Foundry会定期扫描所有正在使用的用户上传Docker容器,以查找漏洞。在控制面板中容器治理页面的漏洞(Vulnerabilities) 选项卡中,可以查看影响您环境的漏洞概览。默认情况下,Foundry不会根据发现的容器漏洞采取任何操作。

召回漏洞(Recall vulnerabilities)¶
控制面板中容器治理页面的漏洞选项卡允许资源管理员召回或取消召回单个漏洞。任何使用受召回漏洞影响的容器的Foundry作业都将被强制停止。同样,也可以取消召回漏洞。
