-
Notifications
You must be signed in to change notification settings - Fork 33
Security
Surya Vallabhaneni edited this page Sep 11, 2019
·
1 revision
Process of signing an image
"docker push myregistrydomain.com:5000/untrusted . <image>:<tag>
When you push your first tagged image with content trust enabled, the docker client recognizes this is your first push and:
alerts you that it is creating a new root key
requests a passphrase for the root key
generates a root key in the ~/.docker/trust directory
requests a passphrase for the repository key
generates a repository key in the ~/.docker/trust directory"
Enable Docker Content Trust
export DOCKER_CONTENT_TRUST=1
Integrate UCP with LDAP/AD
In UCP: Authentication & Authorization --> LDAP sync jobs
create UCP client bundles
download the zip file
describe MTLS
"Mutually authenticated TLS (short lived certificates to nodes and managers)
TLS supports:
- message authentication
- key material generation
- supported cipher suites"
Identity roles
"Roles in docker swarm with UCP
- Administrators
- Regular Users"
use external certificates with UCP and DTR
Admin Settings -> Cerificates
List all roles
"NONE - No access to swarm resources
VIEW ONLY - User can view (services, volumes, networks)
RESTRICTED CONTROL - restricts ability to `exec` into containers
SCHEDULER - view nodes and schedule workloads
FULL CONTROL - user is allowed to view & edit networks"