Iron Bank

Iron Bank is the Department of Defense (DoD)'s "hardened container repository." I put that term in quotes for a reason: it's not at all clear to me that hardened is the proper adjective to use here. Vetted is probably better, but that leads to a whole host of other questions:

• Who does the vetting?
  • Perhaps we hand-wave this to say "well the CI/CD pipeline does, of course!"
  • Theres an onboarding process, perhaps that's where the vetting occurs?
• What is vetted?
  • The authors of software, as the SCRM folks would like to see?
  • The people contributing the container to Iron Bank?
  • The software itself?
  • The container image?

Still, the term is important, because it's in wide use. More than any other product or service at Platform One, Iron Bank has the attention of leaders within the office of the DoD CIO. References to Iron Bank, DCAR, etc. are found sprinkled througoug the DoD CIO Library. For anyone that wants to understand the broader context where Iron Bank sits, and where it comes from, I would recommend familiarizing yourself with all of the documents in the Software Modernization Modern Software Practices section of that page.

The Terrain

Before we cover the history, value, and thoughts on the future of Iron Bank, it behooves us to start with the basics: where would an interested party find the Iron Bank online? For a number of reasons, there's no one place to find Iron Bank online, it's a somewhat disparate collection of services.

Iron Bank Front End (IBFE)

The nominal starting point for Iron Bank is the Iron Bank Front End (IBFE), available at https://ironbank.dso.mil. This is a custom webapp that is developed on Party Bus, earning it a CTF, but it is deployed within the Iron Bank infrastrucuture and doesn't constitute a real Party Bus appliction. I would escribe the primary function of the IBFE as discovery. The IBFE allows any user (TODO: write section on randos) to view the entire catalog of images within the Iron Bank. Users are presenteed with a paginated set of cards, one for each image in Iron Bank, and there is a basic search functionality and some rudimentary filtering available in a sidebar that allows users to narrow down the cards they see. Clicking a card brings the user to a page that provides additional information about the image, and provides a set of links to other resources.

Vulnerabillity Assessment Tracker (VAT)

The Vulnerability Assessment Tracker (VAT) is also a custom webapp developed on Party Bus but deployed on Iron Bank, so all caveats applied to IBFE about being a "real" Party Bus application apply equally to it. VAT is also available to any authenticated user, served up at https://vat.dso.mil. Users are presented with a somewhat more intricate set of filtering options for images and/or tags, and then can filter the findings as well (after selecting an image). The primary function of the VAT is to adjudicate findings in container images. The Iron Bank Docs page has additional information, but in a nutshell:

1. Nightly pipeline runs use commercial tools to identify vulnerabilities, which are pushed into VAT by the pipeline
2. VAT performs some de-duplication of findings (Anchore and PCC might both find a CVE, for example)
3. The image maintainers provide justifications for each finding
4. The Iron Bank team reviews those justifications

Steps 3 and 4 in the process aboce take place in VAT. Any user can then go review the findings in VAT. Importantly, findings and justifications can be inherited from base image layers in some cases, so in theory if you are submitting a Java application to Iron Bank and you use an Iron Bank-maintained Java base image, you will only need to justify findings in your application and not in the core Java runtime.

Iron Bank Docs

The Iron Bank Docs page is available to any user, without authentication. It is a static website built using Hugo on the Party Bus Padawan service, and is hosted in the Party Bus environment. It is accessible at https://docs-ironbank.dso.mil/. Although it is built in a different technology than this document (hugo + mkdocs vs mdbook), the intent is the same: easily searchable documentation. If you are reading this document, I recommend familiarizing yourself with the docs webpage. Note that while the actual static content is served up by Party Bus, the content itself is wholly owned by the Iron Bank team, so don't be shy about requesting or suggesting updates!

Repo1

The core conceit of Iron Bank is that unlike Docker Hub or Quay.io, users do not push container images straight into the registry (TODO: a section on VP). Container images are built by the pipleine each night from a Dockerfile that image maintainers provide. If the reader is familiar with the docker build command, they have likely used COPY commands within the Dockerfile to copy artifacts into the image. Whereas docker build will allow you to copy any file from the workding directory when you build the image, Iron Bank requires that you declare your required artifacts in a hardening manifest. This manifest indicates the file name, where to find it, and a cryptographic hash value (signature) for the artifact.

Since at the very least two files (the Dockerfile and the hardening manifest) need to be configuration-controlled, Iron Bank runs a Gitlab Ultimate instance at https://repo1.dso.mil. Each image has it's own repository under the https://repo1.dso.mil/dsop/ group. As a helpful hint: if you navigate directly to the Repo1 homepage, you will be required to log in. If you go to a more specific url and the url is viewable by unauthenticated users, you can view it without logging in. Because the Iron Bank group is public like that, and the url is increbibly easy to remember (dsop is an acronym for DevSecOps Platform), memorizing the path above will allow you to look at the files associated with Iron Bank images without authenticating.

Registry1

Container images aren't particularly usefull if they can't be pulled and run, so Iron Bank of course operates a container registry (Harbor at the time of this writing). The web interface for this registry can be found at https://registry1.dso.mil. You need to log in (with SSO) in order to view any of the images in the web UI. Once you log in, you can generate a pull token (for use with the docker CLI, K8s, or similar) using the menu in the top right. Your username is case-sensitive when you docker login! You can use the registry1 UI to find images without using the IBFE, if you want, but frankly Harbor UI isn't great.

Summary

Iron Bank is sort of a "Docker Hub for the DoD". Today, it isn't a single cohesive thing as much as a combination of useful services. The user-facing services are summarized in the table below.