- Describe the process of signing an image
- Demonstrate that an image passes a security scan
- Enable Docker Content Trust
- Configure RBAC in UCP
- Integrate UCP with LDAP/AD
- Demonstrate creation of UCP client bundles
- Describe default engine security
- Describe swarm default security
- Describe MTLS
- Identity roles
- Describe the difference between UCP workers and managers
- Describe process to use external certificates with UCP and DTR
What is DCT?
Through DCT, image publishers can sign their images and image consumers can ensure that the images they use are signed.
What is DCT stand for?
Docker Content Trust
What is the command to generate delegation keys?
docker trust generate key
How to load if you have any existing keys?
docker trust key load
How to sign a particular tag and push it up to the registry?
docker trust sign dtr.example.com/admin/demo:1
How to enable docker content trust so that you can sign images automatically when you use docker push?
export DOKCER_CONTENT_TRUST=1
How to inspect remote trusted data for a tag?
docker trust inspect
How to remove remote trusted data for a tag?
docker trust revoke
What is a grant?
A grant defines who has how much access to set of resources
What is the subject?
A subject can be user, team, organization and is granted a role for set of resources
What is the role?
A role is a set of permitted API operations that you can assign to a specific subject and collection by using a grant
What is a Client Bundle?
A client bundle is a group of certificates downloadable directly from the Docker Universal Control Plane (UCP) user interface within the admin section for “My Profile”.
This allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process. You can now execute docker swarm commands
from your remote machine that take effect on the remote cluster.
What is the easiest way to access or control the UCP?
Client Bundle
What is the kernel feature that isolates the processes running in different containers?
Namespaces
Which kernel feature limits the resources used by docker containers?
Control Groups
What is the kernel feature that needed extra configuration?
user
Docker swarm should be secure by default?
yes