Run only the images you trust¶
With MKE you can enforce applications to only use Docker images signed by MKE users you trust. Each time a user attempts to deploy an application to the cluster, MKE checks whether the application is using a trusted Docker image (and will halt the deployment if that is not the case).
By signing and verifying the Docker images, you ensure that the images being used in your cluster are the ones you trust and haven’t been altered either in the image registry or on their way from the image registry to your MKE cluster.
A developer makes changes to a service and pushes their changes to a version control system.
A CI system creates a build, runs tests, and pushes an image to MSR with the new changes.
The quality engineering team pulls the image and runs more tests. If everything looks good they sign and push the image.
The IT operations team deploys a service. If the image used for the service was signed by the QA team, MKE deploys it. Otherwise MKE refuses to deploy.
To configure MKE to only allow running services that use Docker trusted images:
Access the MKE UI and browse to the Admin Settings page.
In the left navigation pane, click Docker Content Trust.
Select the Run only signed images option.
With this setting, MKE allows deploying any image as long as the image has been signed. It doesn’t matter who signed the image.
To enforce that the image needs to be signed by specific teams, click Add Team and select those teams from the list.
If you specify multiple teams, the image needs to be signed by a member of each team, or someone that is a member of all those teams.
At this point, MKE starts enforcing the policy. Existing services will continue running and can be restarted if needed, however MKE only allows the deployment of new services that use a trusted image.