Podman image trust

Basics

  1. Changes from these commands are written to /etc/containers/policy.json
  2. This has no user level configuration, all controls are global
  3. This supports only allowing GPG signed images from X repository based on a specific public key
  4. Terminology for docker.io/redhat/ubi8 - registry/repository/image

Create registry whitelist

This rejects ALL repos, then rejects ALL of docker.io before permitting a single image. Omitting an image name would permit/reject a single repository

sudo podman image trust set -t reject default
sudo podman image trust set -t reject docker.io
sudo podman image trust set -t accept docker.io/redhat/ubi8
sudo podman image trust show

Result

> podman image trust show
TRANSPORT   NAME                   TYPE        ID          STORE
all         default                reject
repository  docker.io              reject
repository  docker.io/redhat/ubi8  accept

> podman pull redhat/ubi8
✔ docker.io/redhat/ubi8:latest
Trying to pull docker.io/redhat/ubi8:latest...
Getting image source signatures
Copying blob 95141d380d54 done
Copying config 75162cd9f6 done
Writing manifest to image destination
Storing signatures
75162cd9f635fcffe35bb260ef3fd912f1e5d73524361e9622bdd81b2cb94a3d

> podman pull redhat/ubi7
✔ docker.io/redhat/ubi7:latest
Trying to pull docker.io/redhat/ubi7:latest...
Error: initializing source docker://redhat/ubi7:latest: reading manifest latest in docker.io/redhat/ubi7: errors:
denied: requested access to the resource is denied
unauthorized: authentication required

Recover a broken JSON file

sudo rm /etc/containers/policy.json
sudo podman image trust set -t accept default