Registry trust & allowed sources

Pin who you pull from, not just what.

Advanced10 min · lesson 15 of 18

Verifying signatures answers "is this the artifact we built?" — but you also need to control where images come from at all. An allowed-registries policy restricts workloads to pulling only from registries you trust (your internal registry, specific vetted mirrors), so a compromised manifest cannot pull an attacker’s image from a random public registry. It is a blunt but essential control: even before signature checks, the set of places an image may originate should be a short, deliberate list.

Why "signed" is not enough without "from where"

Signature verification and registry restriction cover different holes, and you need both. Verifying the signer identity stops an unsigned or wrong-identity image; restricting the registry stops an image pulled from somewhere you do not control, and closes the gap where an attacker signs their own malicious image with their own valid identity from their own registry. The complete rule is "signed by our CI identity AND pulled from our registry AND carrying the required provenance" — three assertions, because an attacker only needs the one you left out.

Control the registry itself

The trusted registry is infrastructure to secure, not just point at. Run a private registry (Harbor, Artifactory) as the single source for production images, use it as a pull-through cache so an upstream outage or a poisoned public image does not reach you unfiltered, and enforce that images are scanned and signed before they can be tagged for production. Some registries can themselves verify signatures and block vulnerable images on push. The registry is both the choke point you restrict pulls to and a place to enforce policy in its own right.

terminal
# defense in depth at the registry choke point:
# - admission policy: pull only from registry.acme.internal/* (allowed sources)
# - the registry: scan-on-push, block on CRITICAL, require a signature to promote to "prod"
# - pull-through cache for public deps, so nothing pulls straight from the internet
A pull from anywhere is a trust decision you did not make
If workloads can pull from any registry, then every public registry’s security is now part of your attack surface — a typosquatted or backdoored public image is one manifest edit away from production. Pin the allowed sources to your own registry (and named, vetted mirrors), route public dependencies through a scanning pull-through cache, and make "where can our images come from?" a short list you decided on purpose.