From 885412bf0e259a688eb4a5e03c2d482b078eb224 Mon Sep 17 00:00:00 2001 From: Steven Smith <77019920+stevsmit@users.noreply.github.com> Date: Mon, 9 Sep 2024 16:42:23 -0400 Subject: [PATCH] Adds robot account info to security docs (#1091) Co-authored-by: Steven Smith --- modules/robot-account-overview.adoc | 12 +++++++++++- tls-config/master.adoc | 18 ++++++++++++++++++ 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/modules/robot-account-overview.adoc b/modules/robot-account-overview.adoc index 99ccb0d7..897c4e6a 100644 --- a/modules/robot-account-overview.adoc +++ b/modules/robot-account-overview.adoc @@ -24,7 +24,17 @@ Setting up a Robot Account results in the following: * Repositories and images that the Robot Account can push and pull images from are identified. -* Generated credentials can be copied and pasted to use with different container clients, such as Docker, Podman, Kubernetes, Mesos, and so on, to access each defined repository. +* Generated credentials can be copied and pasted to use with different container clients, such as Docker, Podman, Kubernetes, Mesos, and so on, to access each defined repository. + +ifeval::["{context}" == "quay-security"] +Robot Accounts can help secure your {productname} registry by offering various security advantages, such as the following: + +* Specifying repository access. +* Granular permissions, such as `Read` (pull) or `Write` (push) access. They can also be equipped with `Admin` permissions if warranted. +* Designed for CI/CD pipelines, system integrations, and other automation tasks, helping avoid credential exposure in scripts, pipelines, or other environment variables. +* Robot Accounts use tokens instead of passwords, which provides the ability for an administrator to revoke the token in the event that it is compromised. + +endif::[] Each Robot Account is limited to a single user namespace or Organization. For example, the Robot Account could provide access to all repositories for the user `quayadmin`. However, it cannot provide access to repositories that are not in the user's list of repositories. diff --git a/tls-config/master.adoc b/tls-config/master.adoc index a3e00d67..afa6cee8 100644 --- a/tls-config/master.adoc +++ b/tls-config/master.adoc @@ -5,20 +5,36 @@ include::modules/attributes.adoc[] = Red Hat Quay security enhancements :context: quay-security +{productname} is built for enterprise use cases where content governance and security are two major focus areas. + This guide provides guidance for enhancing the security of your {productname} deployment. The following topics are covered: * Adjusting repository visibility +* Creating and managing robot accounts * Creating self-signed Certificate Authorities * Configuring custom SSL/TLS certificates for standalone {productname} deployments * Configuring custom SSL/TLS certificates for {productname-ocp} * Adding additional Certificate Authorities to the {productname} container * Adding additional Certificate Authorities to {productname-ocp} +* Clair vulnerability reporting //private repo include::modules/proc_use-quay-create-repo.adoc[leveloffset=+1] include::modules/adjusting-repository-visibility-via-the-ui.adoc[leveloffset=+2] include::modules/adjusting-repository-access-via-the-api.adoc[leveloffset=+2] + + +//robot accounts +include::modules/robot-account-overview.adoc[leveloffset=+1] +include::modules/creating-robot-account-v2-ui.adoc[leveloffset=+2] +include::modules/creating-robot-account-api.adoc[leveloffset=+2] +include::modules/managing-robot-account-permissions-v2-ui.adoc[leveloffset=+2] +include::modules/disabling-robot-account.adoc[leveloffset=+2] +include::modules/regenerating-robot-account-token-api.adoc[leveloffset=+2] +include::modules/deleting-robot-account-v2-ui.adoc[leveloffset=+2] +include::modules/deleting-robot-account-api.adoc[leveloffset=+2] + //creating ssl-tls-certificates include::modules/ssl-tls-quay-overview.adoc[leveloffset=+1] include::modules/ssl-create-certs.adoc[leveloffset=+2] @@ -43,4 +59,6 @@ include::modules/adding-ca-certs-to-config.adoc[leveloffset=+3] //Kubernetes include::modules/config-custom-ssl-certs-kubernetes.adoc[leveloffset=+2] +//isolated builds +