Open AdvanRafael opened 1 year ago
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 30 days.
Hi @AdvanRafael ,
Sorry for the late response.
Based on your request, we would suggest using Notation to sign your images in ACR intead of DCT. See this doc for details.
ACR doesn't support denying pull unsigned images so far, but there is a way to deny unsigned images on its deployment.
For example, you can use admission controller to control the deployment request on Kubernetes.
How do you run your images?
What is the problem you're trying to solve We understand Docker Content Trust (DCT) works when calling docker cli either by parameter
--disable-content-trust=false
orexport DOCKER_CONTENT_TRUST=1
before image operation. So far we know several key points to DCT:The problems are
Describe the solution you'd like Since Azure hosts signature server and registry server, ACR should know the image is signed or not. We expect an option in server side, and the function works for docker cli and docker API. When the option is enabled, only signed images can be pull. Otherwise will receive error response. When the option is disabled, any image can be pull.
Additional context We found Harbor already done the function. After
Deployment security
is enabled, neither docker cli nor docker API can not pull unsigned image.