Enable signed image enforcement
Set up the docker integration.
Description
The Universal Control Plane includes the ability to enforce running of only images that have been signed by members of a particular group. This capability should be enabled to prevent unsigned images from being deployed to your cluster.
Rationale
Running untrusted containers poses a risk to the operation of your Docker platform. Combined with the Docker Content Trust recommendations in Section 4, signed image enforcement in UCP gives you more control over the validity and origination of your Docker images prior to deployment. Signed image enforcement can prohibit images that are unsigned, have malformed signatures, and/or compromised signatures from being deployed.
Audit
The “Docker Content Trust” page under the UCP “Admin Settings” UI can be used to verify this setting has been enabled.
Impact
None
Default value
None
References
- https://docs.docker.com/datacenter/ucp/2.2/guides/admin/configure/run-only-the-images-you-trust/
- https://success.docker.com/article/Docker_Reference_Architecture-_Securing_Docker_EE_and_Security_Best_Practices
CIS controls
None
