Skip to content

Latest commit

 

History

History
203 lines (136 loc) · 3.3 KB

security.md

File metadata and controls

203 lines (136 loc) · 3.3 KB

Security (15% of exam)

Content may include the following:

  • Describe the process of signing an image
  • Demonstrate that an image passes a security scan
  • Enable Docker Content Trust
  • Configure RBAC in UCP
  • Integrate UCP with LDAP/AD
  • Demonstrate creation of UCP client bundles
  • Describe default engine security
  • Describe swarm default security
  • Describe MTLS
  • Identity roles
  • Describe the difference between UCP workers and managers
  • Describe process to use external certificates with UCP and DTR

Questions:

What is DCT?

Through DCT, image publishers can sign their images and image consumers can ensure that the images they use are signed.

What is DCT stand for?

Docker Content Trust

What is the command to generate delegation keys?

docker trust generate key

How to load if you have any existing keys?

docker trust key load

How to sign a particular tag and push it up to the registry?

docker trust sign dtr.example.com/admin/demo:1

How to enable docker content trust so that you can sign images automatically when you use docker push?

export DOKCER_CONTENT_TRUST=1

How to inspect remote trusted data for a tag?

docker trust inspect

How to remove remote trusted data for a tag?

docker trust revoke

What is a grant?

A grant defines who has how much access to set of resources

What is the subject?

A subject can be user, team, organization and is granted a role for set of resources

What is the role?

A role is a set of permitted API operations that you can assign to a specific subject and collection by using a grant

What is a Client Bundle?

A client bundle is a group of certificates downloadable directly from the Docker Universal Control Plane (UCP) user interface within the admin section for “My Profile”. 
This allows you to authorize a remote Docker engine to a specific user account managed in Docker EE, absorbing all associated RBAC controls in the process. You can now execute docker swarm commands 
from your remote machine that take effect on the remote cluster.

What is the easiest way to access or control the UCP?

Client Bundle

What is the kernel feature that isolates the processes running in different containers?

Namespaces

Which kernel feature limits the resources used by docker containers?

Control Groups

What is the kernel feature that needed extra configuration?

user

Docker swarm should be secure by default?

yes