上QQ阅读APP看书，第一时间看更新

Container registries

In the preceding example, when we invoked the command to pull the container, we referenced https://www.docker.com/, which is Docker's container registry. There are two other common registries that you will see frequently when working with Kubernetes or reading documentation about Kubernetes: gcr.io, Google's container registry, and quay.io, CoreOS's container registry. Other companies offer hosted container registries on the internet, and you can run your own. Currently, Docker and Quay both offer free hosting for public images, so you will see those frequently in documentation and examples. All three registries also offer options for private image repositories, typically for a relatively small subscription.

One of the benefits of publicly available images (and layering on top of those images) is that it makes it very easy to compose your images, sharing underlying layers. This also implies that those layers can be inspected, and common layers searched for security vulnerabilities. There are several open source projects aimed at helping provide this information, and several companies have formed that help in coordinating the information and scanning. If you subscribe to an image repository for your images, they will often include this scanning for vulnerabilities in their product offering.

As a developer, when you use a library in your code, you are responsible for how it will operate. You are already responsible for being familiar with how those libraries work (or not), and handling any issues when they don't work as expected. With the flexibility and control of specifying the whole container, you are equally responsible for everything that gets included in the container in the same fashion.

It is easy to forget about the layers that your software is built upon, and you may not always have the time to track all the potential security vulnerabilities and issues that have arisen with the software that you are building upon. The security scans from projects such as Clair (https://github.com/coreos/clair) can provide you with excellent information about potential vulnerabilities. I recommend you consider taking advantage of a service that can provide those details for you.