Bug 1282754 - [RFE] integration with Notary Service
[RFE] integration with Notary Service
Product: OpenShift Container Platform
Classification: Red Hat
Component: RFE (Show other bugs)
Unspecified Unspecified
unspecified Severity low
: ---
: ---
Assigned To: Michal Fojtik
Johnny Liu
Depends On:
  Show dependency treegraph
Reported: 2015-11-17 05:41 EST by Eric Rich
Modified: 2017-10-25 06:16 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2017-10-25 06:16:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eric Rich 2015-11-17 05:41:11 EST
Description of problem:

Simply having "trusted" registries is not enought to ensure that Red Hat images are not tampered with before they are run. 

Integration with notary in the following way should help improve security, but more importantly peace of mind (about what you pull, or to customers who pull application built by openshift/atomic enterprises platform.

1: Integration with Red Hat Network registry when images move from a public registry to a private corporate registry. 
2: Integration with builds automatically.
  - So ephemeral teams (QE,Operations) can validate the images or content being pulled. 
  - So customer's or community members can validate images or content that they would use/download

I feel 2 is especially important with a tool like openshift because if it's intergated with automation your not trusting an unknown source(notary) but a trusted/certified(notary). 

Additional info:

Comment 3 Ben Parees 2017-10-25 06:16:20 EDT
image signing support is proceeding but there are no plans to integrate w/ notary.

Note You need to log in before you can comment on or make changes to this bug.