In this section, we will consider a trusted environment where CONTENT_TRUST_ENABLED is used for all actions. This will ensure that images built in that environment will always be signed. All images that have been pushed and pulled will be signed, and we will only run containers based on trusted images.
It is interesting to add CI/CD orchestration tools to these processes. It is not easy to disallow non-trusted content without some system or even higher security policies. If we set the DOCKER_CONTENT_TRUST value to only allow Docker Content Trust, but users are allowed to interact with the Docker host directly, they can disable this feature at the command line.
Automation is key in production environments, although it is true that Docker Enterprise provides other methods, which we will discuss later on in Chapter 12, Universal Control Plane. Kubernetes also provides features to force security for trusted content, but this topic...
