[Feature-request] could crictl pull verify tags via Docker Content Trust conception? #2065
Comments
Slach
changed the title
Slach
changed the title
|
@mtrmac Could you take this one? |
|
CRI-O does not integrate with Notary currently. I haven’t looked at Notary for some time, so the design might have changed; but integrating Notary into the daemon would be possible in principle but somewhat intrusive. Notary integrates into image use by replacing the tag references with digest references. To work correctly and consistently, that would ideally need to be done by integrating Notary support all the way down in c/image/docker so that it is completely transparent to callers referring to images by tags — forcing Notary integration, or at least vendoring of the code including the crypto implementations, on all c/image/docker users. Then we would have to define some new mechanism (not present in Docker AFAICT!) to enable/disable Notary use per-registry: A global on/off switch is not really viable for a daemon unless you expect all images on the cluster to live on the Docker Hub (or maybe a single private registry), and CRI requests never to refer to images on other registries. (Or, well, it could be done the Docker-CE way and literally implement what the title of the issue says, doing that in |
|
We don't control crictl or Kubernetes. So this issue should go to those projects. If you want Notary signing to work, I believe it needs to be implemented in the orchestrator not in the CRIs. If people want to work on making this work with something like podman or buildah we could look at the PRs |
|
Since this issue needs to be with Kubernetes, closing. |
does cri-o support Docker Content Trust conception descibed here
https://docs.docker.com/engine/security/trust/content_trust/?
could i set "use only trusted images" when use crio?
The text was updated successfully, but these errors were encountered: