Bug 1282754 - [RFE] integration with Notary Service
Summary: [RFE] integration with Notary Service
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE
Version: 3.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Michal Fojtik
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-11-17 10:41 UTC by Eric Rich
Modified: 2019-11-14 07:08 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-10-25 10:16:20 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Eric Rich 2015-11-17 10:41:11 UTC
Description of problem:

Simply having "trusted" registries is not enought to ensure that Red Hat images are not tampered with before they are run. 

Integration with notary in the following way should help improve security, but more importantly peace of mind (about what you pull, or to customers who pull application built by openshift/atomic enterprises platform.

1: Integration with Red Hat Network registry when images move from a public registry to a private corporate registry. 
2: Integration with builds automatically.
  - So ephemeral teams (QE,Operations) can validate the images or content being pulled. 
  - So customer's or community members can validate images or content that they would use/download

I feel 2 is especially important with a tool like openshift because if it's intergated with automation your not trusting an unknown source(notary) but a trusted/certified(notary). 

Additional info:

https://github.com/docker/notary/blob/master/README.md

Comment 3 Ben Parees 2017-10-25 10:16:20 UTC
image signing support is proceeding but there are no plans to integrate w/ notary.


Note You need to log in before you can comment on or make changes to this bug.