proposal: consider add support Encrypted OCI Container images: TUF + ocicrypt (brainstorming) #15489
Labels
Comments
|
thanks for submitting, we can move the proposals to the community. |
|
@Dentrax could you please open a PR in goharbor/community? |
|
Thanks! @wy65701436 @stonezdj Just created our first PR on goharbor/community: goharbor/community#175 🤗 |
|
thanks, @Dentrax we can discuss it at the goharbor/community. Let me close the issue. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is your feature request related to a problem? Please describe.
Internal IT company may have sensitive images. Encrypted OCI Container images as a way to protect the confidentiality of container workloads, as well as how they can be used in an enterprise setting to help you achieve workload compliance. These provide a good overview of how to protect workloads in a high assurance environment.
See motivation of the work, for more information.
Describe the solution you'd like
Solution 1: This is not a concern of Harbor
I am not so sure if this problem is really a concern of Harbor. This is why I'm throwing this issue. We can discuss and brainstorm the idea.
We can encrypt our images in the CI/CD pipeline just before the push into container registry. And we can easily decrypt the images before deploying to cluster.
And we should find a way out about how to decrypt these securely after pull the image.
Solution 2: Encrypting FS for storage instead of images
Projects like fscrypt, encfs, etc. could take care of. But it does not solve the problem of what we want to achieve for. Images still in unencrypted state.
Solution 3: TUF + ocicypt
TUF was designed with the premise that all software repositories will be compromised at a certain stage, therefore it incorporates separation of signing duties techniques that make possible to minimize the impact of a stolen private key in the environment.
The ocicrypt library is the OCI image spec implementation of container image encryption. More details of the spec can be seen in the OCI repository. The purpose of this library is to encode spec structures and consts in code, as well as provide a consistent implementation of image encryption across container runtimes and build tools.
Pipelines will push the unencrypted docker images directly into registry. Harbor will know every Tribe's private keys. So, as soon as new image store request received, we encrypt the image layers using
ocicrypt. Filesystem may also be encrypted, but it does not matter since any authorized person have necessary access to pull images. Even if someone gets the target image somehow, it should not work on container runtimes.ctrcommand have an ability to ask encryption password if image encrypted. See the imgcrypt project.Just thinking... How can we put these puzzle pieces together, and make our images more secure.
Describe the main design/architecture of your solution
We @developer-guy drew the following diagram:
Additional context
Possible related issue: #11088
Waiting your feedback! Thanks!
The text was updated successfully, but these errors were encountered: