Introduction

In Q4, 2020, Docker module signing will be added to the platform to ensure that distributed images have not been tampered with.

This is a process known in Docker as DCT (Docker Content Trust) and it involves two processes:

• Signing process: Integrated in the generation of the images and prior to publishing them in a registry.

• Verification of the signature: Depends on the environment where the image is going to be executed (Docker, Kubernetes...). It involves verifying the signature just after downloading the image and before executing it.

Both signing and verification involve a number of infrastructure elements and processes.

Signing and verification process

This Docker image signing process involves Notary (https://github.com/theupdateframework/notary). This is a tool that, following the DCT specification, allows signing and publishing and managing trusted content by means of signature.

Notary integrates with Docker Engine during image generation to include an electronic signature. The signature data is stored in Notary's own verification server so that the integrity of the artefacts can be checked later when they are downloaded.

Once the image is signed, it is deployed in a Docker registry in the usual way.

Verification of the image on download, prior to execution, can be done directly by Docker if DCT is enabled. The problem arises when the image is deployed in Kubernetes, as is currently done with Onesait Platform when deployed on CaaS platforms such as Rancher2 and Openshift. In this case, another piece is needed: An Admision Controller, to do the verification.

There are different Admision Controllers: Connaisseur has been chosen, due to its ease of installation directly on top of Kubernetes.

Open

Lines of work in Onesait Platform

1. Integration of Notary in our cicd cycle.

   1. Installation of Notary server.

   2. Installation of Notary signer.

   3. Installation of Notary DB.

   4. Establishing trust relationships between Notary Server, Jenkins and Docker Registry.

2. Generation of signing keys for Onesait Platform artifacts.

3. Extending image generation pipelines to sign docker artefacts and publish signed artefacts to the registry.

4. Enabling signature verification in CloudLab environment.

   1. Installation of Connaisseur on CloudLab’s CaaS.

   2. Enabling signature verification of platform Docker artefacts.