Bug 1282754

Summary: [RFE] integration with Notary Service
Product: OpenShift Container Platform Reporter: Eric Rich <erich>
Component: RFEAssignee: Michal Fojtik <mfojtik>
Status: CLOSED WONTFIX QA Contact: Johnny Liu <jialiu>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.1.0CC: aos-bugs, bparees, erich, jialiu, jokerman, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-10-25 10:16:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Eric Rich 2015-11-17 10:41:11 UTC 
Description of problem:

Simply having "trusted" registries is not enought to ensure that Red Hat images are not tampered with before they are run. 

Integration with notary in the following way should help improve security, but more importantly peace of mind (about what you pull, or to customers who pull application built by openshift/atomic enterprises platform.

1: Integration with Red Hat Network registry when images move from a public registry to a private corporate registry. 
2: Integration with builds automatically.
  - So ephemeral teams (QE,Operations) can validate the images or content being pulled. 
  - So customer's or community members can validate images or content that they would use/download

I feel 2 is especially important with a tool like openshift because if it's intergated with automation your not trusting an unknown source(notary) but a trusted/certified(notary). 

Additional info:

https://github.com/docker/notary/blob/master/README.md
Comment 3 Ben Parees 2017-10-25 10:16:20 UTC 
image signing support is proceeding but there are no plans to integrate w/ notary.