You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/reference/tools/container-image-security-enforcement.md
+4-2Lines changed: 4 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,6 +23,7 @@ Portieris is a Kubernetes admission controller for the enforcement of image secu
23
23
Portieris uses [RedHat Signatures](https://www.redhat.com/en/blog/container-image-signing) to sign container images.
24
24
25
25
To take advantage of Portieris and policy enforcement, you need 3 things:
26
+
26
27
1. A GnuPG key to sign container images, stored in a vault
27
28
2. A process to sign container images using the key from the credentials vault
28
29
3. An `ImagePolicy` or `ClusterImagePolicy` that can instruct Portieris to apply enforcement rules
@@ -33,7 +34,7 @@ The following steps are based on [signing images for trusted content](https://cl
33
34
34
35
A script that demonstrates how to easily create a GPG key, publish it to a vault, setup cluster secrets, and setup a default ClusterImagePolicy (as described below) is available at https://github.com/IBM/ibm-garage-tekton-tasks/blob/image-signing/utilities/setup-image-signing-keys.sh
35
36
36
-
The [toolkit's 2-build-tag-push.yaml](https://github.com/IBM/ibm-garage-tekton-tasks/blob/main/tasks/2-build-tag-push.yaml) tekton task has also been updated to accept the output of this script and enforce signatures during the builder's push phase.
37
+
The [toolkit's 8-image-release.yaml](https://github.com/IBM/ibm-garage-tekton-tasks/blob/main/tasks/8-image-release.yaml) tekton task has also been updated to accept the output of this script and enforce signatures during the image release phase.
37
38
38
39
### Create an Image Signing Key
39
40
@@ -164,12 +165,13 @@ More information about [policies and enforcement](https://github.com/IBM/portier
164
165
165
166
A script that demonstrates how to easily create a GPG key, publish it to a vault, setup cluster secrets, and setup a default ClusterImagePolicy is available at [IBM/ibm-garage-tekton-tasks/setup-image-signing-keys.sh](https://github.com/IBM/ibm-garage-tekton-tasks/blob/main/utilities/setup-image-signing-keys.sh)
166
167
167
-
The [toolkit's 2-build-tag-push.yaml](https://github.com/IBM/ibm-garage-tekton-tasks/blob/main/tasks/2-build-tag-push.yaml) tekton task has also been updated to accept the output of this script and enforce signatures during the builder's push phase.
168
+
The [toolkit's 8-image-release.yaml](https://github.com/IBM/ibm-garage-tekton-tasks/blob/main/tasks/8-image-release.yaml) tekton task has also been updated to accept the output of this script and enforce signatures during the image release phase.
168
169
169
170
170
171
## Additional Information
171
172
172
173
Additional information on trusted content and policy enforcement can be found at:
174
+
173
175
- [Signing images for trusted content](https://cloud.ibm.com/docs/Registry?topic=Registry-registry_trustedcontent)
0 commit comments