BLOG POST

How To Securely Share Your Private Docker Registry With External Clients and Partners

 

June 23, 2015 | DevOps | Kevin Gilpin

 

Today Docker announced their new “Trusted Registry”, which is a commercial version of the open-source Docker Registry image storage and distribution service. Teams can run a Trusted Registry to control how their images are physically stored and enhance their ability to fully own their image distribution pipeline.

Docker Trusted Registry integrates with AD/LDAP, so that access to the registry is controlled based on your Enterprise directory.  It’s an important step forward for container security.

But, there’s much more that can be done to make Docker Registry useful in an Enterprise environment. For workflows involving programmatic access, and  Registry access from beyond the enterprise “perimeter”, Active Directory as a “source of truth” isn’t enough.

What’s needed is true “zero-trust” authentication and authorization that is production ready; granular management of access to the Docker Registry that goes beyond human access, beyond the firewall, and beyond username/password authentication.

Why should Conjur’s programmable traffic authorization platform be used to manage the Docker Registry?  Simply put, it is a stronger, more holistic approach to managing access controls.  Incoming traffic is authenticated and authorized according to user or host (machine, VM, container, code) credentials and customizable privileges via declarative, auditable policy. The resulting audit trail provides a comprehensive record of who and what has accessed the registry.

The recommended architecture for securing the Docker Registry:

 docker-registry-sdf

It’s a secure, token-based scheme which applies “zero trust” security to your Docker Registry, enabling you to grant access to all types of clients without the need to configure and manage VPNs and security groups.  We have written a detailed step-by-step guide in GitHub that will show you how to apply Conjur to your Docker Registry.

https://github.com/conjurinc/docker-registry/blob/master/README.md

This example requires Conjur to operate; but we are working on an open-source service for federated authorization that will enable anyone to apply this reference architecture. [To see how we approach problems like this, check out our open-source project Summon, which reads a secrets.yml file from source control, obtains secrets, and injects them into arbitrary processes like docker run.]

You can also find more details about Conjur can help secure Docker containers at runtime in our recent blog post Securing Docker With Secrets and Dynamic Traffic Authorization.

As always, we welcome your feedback! Find us on Twitter at @ConjurInc.

 

Share This