Docker Content Trust
Docker made our life very easy. Isn't it!
Usually, Whenever you want to deploy the application, It’s super easy to pull the image from the docker hub and integrate it into our automated CI/CD Pipeline. That’s really cool!
But ever you thought about the authenticity and integrity of the image before pulling it from the docker hub?
If not, it’s time to google the keyword Docker Content Trust. And Yes, Docker is the only run time that supports content trust at the moment.
Docker Content Trust is a feature that enables the owner to digitally sign the remote registry to ensure integrity and authenticity. It is based on the Docker Notary Tool to publish and manage trusted content.
So what I suggest is,
— Sign your image before pushing it to the docker hub.
— Verify the signature of any image before pulling it to use.
— Make this sign verification automated in your CI/CD Pipeline
By default, docker content trust is disabled in the docker client. To enable it, set the DOCKER_CONTENT_TRUST environment variable to 1.
This will guard your system from man-in-the-middle attacks, replay attacks. Looks simple but may save you one day.
What about the Content Trust in Kubernetes? What are the options available to validate the container image? I don’t believe there is any native support. But I am exploring more on Notary and Open Policy Agent as a solution. How do you people handle Content Trust in Kubernetes?
