Object labels Blog Image v2

Taking Advantage of Object Labels while Controlling the Human Factor

The use of object labels has grown into an industry best practice, as labels allow you to apply metadata to objects like images, deployments, containers, volumes, networks, and more. They can be short and technical, but they can also be more descriptive. However, even with the use of automation for creating labels, although effective, it can still leave the door open to human error.

Since any textual data can be added as a label: the source and destination of your artifact, licensing information, author and maintainer, relationships between your containers, or whatever else makes sense for your business and processes, their use is expanding. In fact, labels are also being leveraged to provide required metadata to make security decisions about the assurance and protection of your workloads. And there have been on-going efforts to standardize the usage of labels, for example in the Labels Schema, later superseded by OCI Annotations.

“Object labels enable the application of metadata to objects like images, deployments, containers, volumes, networks, and more.”

There are two possible consumers for labels. The first one is human — anyone in your organization interested in viewing a certain object’s metadata or, instead, search or filter multiple objects sharing the same metadata. The second consumer is non-human — usually, an automated process that looks at the object’s metadata to decide about how and where it needs to be deployed. I’ll go into detail about this below under Common Use Cases.

Using Aqua's native capabilities of Image and Kubernetes Assurance, you can mandate the presence of one or more labels and their values to approve the image for deployment by marking it as compliant. In advanced use-cases, it is even possible to prevent workloads from deploying if it’s deemed non-compliant, more on that later as well. First, let’s look at some common use cases related to Image Labels.

Common use cases

Classifying, organizing, and cataloging your artifacts

You will undoubtedly have numerous artifacts to manage as your environment expands with your business. These artifacts will originate from different pipelines and will be designated for different purposes. Labels provide a straightforward way to tag your artifacts, so you can manage and maintain them more easily.

Support development lifecycle & assure compliance 

You may try to enforce various compliance rules as part of your development lifecycle, and you can leverage labels to do so.

One real-life example is using an “owner” label (or similar designation). You may require your developers to assign an owner to every image so that if anything should go wrong with its container, you can quickly identify the right resource to remedy the issue.

You could also apply the use cases for your own business reasons, or, in some cases, you may be required to do it by an internal or external auditor or regulatory requirements. Whatever the reason, the use of labels can make life easier.

Automating deployments

The information you place in a label may also indicate how to deploy the workload. Consider a scenario where a set of workloads within your application need to reside behind a certain proxy server; you add a “HasProxy” label to your images, and any container needing to be deployed behind a proxy will be given the value “true.”

When your DevOps team deploys the container, they can automate the deployment and configuration of the proxy server in front of the container, simply based on the existence of the label and its value. They can prevent direct access to the workload based on the fact it can only be accessed through a proxy, and place it in a suitable network, with relevant security rules and restrictions.

In a different scenario, you may choose to specify whether an image is exposed on a public network, based on if it contains certain sensitive data. Using this information, your DevOps team can determine where the workloads should reside (and more importantly, where they shouldn’t), their privileges, who can access them, and so forth.

Automating your deployment processes can be valuable not only because it saves time and effort, but because it reduces the chances of human error.

Then once you decide to automate your deployment using labels, you must also have the means to enforce. And this is where the human factor comes into play — because ultimately mistakes can happen, and the deeper your integration, the more adverse the effects these mistakes can be on your business.

“Aqua offers several validations designed to verify that images are compliant with the process you defined, and your workloads are being deployed securely.”

Controlling the human factor

There is no doubt that the proper use of labels will prove effective for your business. But the process of creating the labels is at least partly manual (i.e., mistake-prone), and there’s a lot at stake here. How can you trust that the right labels were added to the right workloads? How can you assure that your automated deployment process is spinning them up in the context they should be deployed, and only there? This is where our assurance capabilities come into play when you use Aqua Enterprise.Controlling the Human Factor.

We offer several validations aimed to verify that your images are compliant with the process you defined, and your workloads are being deployed securely. The first check occurs at the very beginning of the process when your image is built. The second occurs at the very end, right before your workload is deployed.

  1. CI/CD: Our Image Assurance policy will pass or fail the compliance state of your image based on one or more labels with your pre-defined values.
  2. Our Kubernetes Assurance Policy (KAP) allows you to add rego-based custom compliance scripts. Using KAP in combination with custom compliance scripts, we’ll scan your YAML files to make sure the workload was defined properly. We will do this as part of the Admission Controller and notify you if the deployment is not configured properly.

Going back to our earlier example of automation using a “HasProxy” label; during the first check, we’ll validate your image contains this label and make it non-compliant if it isn’t already. At the second check, we’ll make sure your deployment was defined properly, that the container was assigned to the right network policy that disallows direct access, and any other custom check you defined.

Getting the most from object labels

Understanding and making full use of object labels allows you to create and automate security and compliance rules within your different environments. Aqua’s Image and Kubernetes Assurance policies complement your automation by providing the required validation and enforcement of your policies, whatever they may be — while taking care of the usual human-error challenges.

The lastest release of Aqua Enterprise also includes many other capabilites for securing Kubernetes across the development, deployment and runtime stages of your application lifecycle.

Try Aqua Enterprise today
Get a Demo

Learn more about the latest of the Aqua Platform

Nir Ben-Eliezer

Nir Ben Eliezer is a Product Manager at Aqua, responsible for static and dynamic scanning, as well as vulnerability management. He has 15 years of technological experience in a variety of roles. In the past 7 years he's been focused on cybersecurity and securing cloud native applications. In his free time Nir enjoys on and off-road motorcycling, psychology, and mathematics.

Container Security, Container Deployment, Kubernetes Security