docs/doc/source/security/kubernetes/portieris-overview.rst
Juanita Balaraj 4c81f1a116 Removed warning about Portieris on Kubernetes 1.22 and 1.23 (r8, dsr8)
Change-Id: I1022c0071d481ccdf041d1d2fababee3eb5a6e91
Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
2024-02-27 17:26:06 +00:00

1.5 KiB

Portieris Overview

You can enforce image security policies using the Portieris admission controller.

Portieris allows you to configure trust policies for an individual namespace or cluster-wide, and checks the image against a signed image list on a specified notary server to enforce the configured image policies. Portieris first checks that the image's registry/repository is trusted according to the image policies, and, if trust enforcement is enabled for that registry/repository, Portieris verifies that a signed version of the image exists in the specified registry / notary server.

When a workload is deployed, the kube-apiserver sends a workload admission request to Portieris, which attempts to find matching security policies for each image in the workload. If any image in your workload does not satisfy the policy, then the workload is blocked from being deployed.

The implementation of Portieris is integrated with cert-manager and can use custom registries.

Configuring a trust server (for an image or cluster-wide) requires network access upon pod creation. Therefore, if a cluster has no external network connectivity, pod creation will be blocked.

It is required to pull from a registry using a docker-registry secret. Enforcing trust for anonymous image pulls is not supported.

integration with Portieris has been verified against the Harbor registry and notary server (https://goharbor.io/).