Creating a Deployment Control Trust Manifest from the CloudControl GUI

When names are required, you can use alphanumeric characters and spaces, but no special characters except _ (underscore), - (hyphen), and . (period).

  1. From the Home tab, select Security > Trust Manifests.

  2. On the Manage Trust Manifests page, select Actions > Create Trust Manifest.

  3. On the Details tab of the Create Trust Manifest page, enter the name and optional description for the trust manifest.
  4. Select Deployment Control in the Policy Type field.

  5. In the Deployment Control Rules section, complete the following information: 

    1. In the Private Registries section, in the Allowed Registries field, enter the registries that you want to allow. The registries can be existing onboarded registries or registries that you plan to onboard. Registries that have not been onboarded are depicted with a yellow warning icon.

    2. In the Rules section, in the Signature Rule field, select Enabled or Disabled to determine whether or not to deny images when no signature is present.

    3. In the Attribute Rule field, select Enabled or Disabled to determine whether or not to evaluate using attributes, and then complete the following: 

      Field

      Description
      Name Enter the name of the rule. The name cannot contain any special characters.

      Step 1. Exemption List

      Deploy on Match

      Select ENABLED or DISABLED to determine whether or not to use this criteria when evaluating.

      If yes, use the + and - symbols to add the following criteria: 

      • Image ID—Enter the image ID in SHA format to match.
      • Image Name—Enter the Name and Tag Regex to match.

      If there is a match, the image will immediately be deployed, and no other deployment policy rules will be evaluated.

      If there is no match, continue to the next enabled step. If there are no other steps, continue to the next rule in the deployment policy.

      Step 2. Whitelist

      Deny on No Match

      Select ENABLED or DISABLED to determine whether or not to use this criteria when evaluating.

      If yes, use the + and - symbols to add the following criteria: 

      • Image ID—Enter the image ID in SHA format to match.
      • Image Name—Enter the Name and Tag Regex to match.

      If there is no match, the image will immediately be denied, and no other deployment policy rules will be evaluated.

      If there is a match, continue to the next enabled step. If there are no other steps, continue to the next rule in the deployment policy.

      Step 3. Blacklist

      Deny on Match

      Select ENABLED or DISABLED to determine whether or not to use this criteria when evaluating.

      If yes, use the + and - symbols to add the following criteria: 

      • Image ID—Enter the image ID in SHA format to match.
      • Image Name—Enter the Name and Tag Regex to match.

      If there is a match, the image will immediately be denied, and no other deployment policy rules will be evaluated.

      If there is no match, continue to the next rule in the deployment policy.

    4. In the Vulnerabilities Rule field, select Enabled or Disabled to determine whether or not to evaluate using vulnerabilities, and then complete the following: 

      Field

      Description
      Name Enter the name of the rule. The name cannot contain any special characters.
      Deny deployment if thresholds are exceeded: Enter the number of high, medium, and low vulnerabilities that you are willing to allow in your deployment. Deployment is denied if the number of vulnerabilities exceeds your selected limit.

      Whitelist

      Ignore thresholds for the following vulnerabilities:

      Use the drop-down list to select the vulnerabilities that you want to exclude from the threshold limit.

      You can search by any part of the vulnerability name, such as CVE or 2018.

      Blacklist

      Always deny images with the following vulnerabilities:

      Use the drop-down list to select the vulnerabilities that will always cause deployment to be denied.

      You can search by any part of the vulnerability name, such as CVE or 2018.

    5. Optional. In the Public Registries selection, you can add public registries to be deployed without any evaluation. We recommend that you leave this section enabled, and do not enter any values in the Allowed Registries field.

  6. Click one of the following: 

    • Validate—Validate the draft or existing trust manifest.
    • Save—Save the trust manifest as a draft.

    • Publish—Publish the trust manifest.

    Or click the Cancel link to close the trust manifest without saving.