mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
75 lines
2.7 KiB
Plaintext
75 lines
2.7 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/container_security/security-deploy.adoc
|
|
|
|
:_mod-docs-content-type: REFERENCE
|
|
[id="security-deploy-image-sources_{context}"]
|
|
= Controlling what image sources can be deployed
|
|
|
|
It is important that the intended images are actually being deployed, that the
|
|
images including the contained content
|
|
are from trusted sources, and they have not been altered. Cryptographic signing
|
|
provides this assurance. {product-title} enables cluster administrators to apply
|
|
security policy that is broad or narrow, reflecting deployment environment and
|
|
security requirements. Two parameters define this policy:
|
|
|
|
* one or more registries, with optional project namespace
|
|
* trust type, such as accept, reject, or require public key(s)
|
|
|
|
You can use these policy parameters to allow, deny, or require a trust
|
|
relationship for entire registries, parts of registries, or individual
|
|
images. Using trusted public keys, you can ensure that the source is
|
|
cryptographically verified.
|
|
The policy rules apply to nodes. Policy may be
|
|
applied uniformly across all nodes or targeted for different node workloads (for
|
|
example, build, zone, or environment).
|
|
|
|
.Example image signature policy file
|
|
[source,json]
|
|
----
|
|
{
|
|
"default": [{"type": "reject"}],
|
|
"transports": {
|
|
"docker": {
|
|
"access.redhat.com": [
|
|
{
|
|
"type": "signedBy",
|
|
"keyType": "GPGKeys",
|
|
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
|
}
|
|
]
|
|
},
|
|
"atomic": {
|
|
"172.30.1.1:5000/openshift": [
|
|
{
|
|
"type": "signedBy",
|
|
"keyType": "GPGKeys",
|
|
"keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
|
|
}
|
|
],
|
|
"172.30.1.1:5000/production": [
|
|
{
|
|
"type": "signedBy",
|
|
"keyType": "GPGKeys",
|
|
"keyPath": "/etc/pki/example.com/pubkey"
|
|
}
|
|
],
|
|
"172.30.1.1:5000": [{"type": "reject"}]
|
|
}
|
|
}
|
|
}
|
|
----
|
|
|
|
The policy can be saved onto a node as `/etc/containers/policy.json`.
|
|
Saving this file to a node is best accomplished using a new
|
|
`MachineConfig` object. This
|
|
example enforces the following rules:
|
|
|
|
* Require images from the Red Hat Registry (`registry.access.redhat.com`) to be
|
|
signed by the Red Hat public key.
|
|
* Require images from your OpenShift Container Registry in the `openshift`
|
|
namespace to be signed by the Red Hat public key.
|
|
* Require images from your OpenShift Container Registry in the `production`
|
|
namespace to be signed by the public key for `example.com`.
|
|
* Reject all other registries not specified by the global `default` definition.
|