Azure-docs: Missing (or cannot find) docs

Thanks for the feedback! We are currently investigating and will update you shortly.

@iainfoulds I tried looking but could not find any doc on this. Are you aware of a doc that shares the details on this? Thanks :)

It's not really a Kubernetes function, rather enabling DOCKER_CONTENT_TRUST environment variable on the host for the container runtime. Currently, there are no specific steps to enable this using the AKS tooling, hence no supporting docs. The AKS and ACR PM teams are discussing how to enable this as part of an AKS configuration option.

• @SteveLas and @seanmck from the PM teams if you have specific scenarios you're looking at here to help them understand the best approach to make it an option as part of the AKS configuration.

@bramvdklinkenberg Any update? Please share if you have specific scenarios so that our product team can help.
@iainfoulds Do you think we should update the doc to remove the statement where it says "You then only permit AKS to deploy signed images"? Thanks for your help. :)

@seanmck, can each node have the DOCKER_CONTENT_TRUST env be set as part of the initial deployment? Or ssh in and configure each node? Would that work?

To set it on the initial deployment will require a property on the AKS node pool API model that we can pass through to configure VM, which is the solution we've been discussing. You can also SSH in and set it but anytime you upgrade/scale and get new nodes, you'll be back to the standard configuration, which doesn't have it.

Ahh, the scale scenario. I didn't think about that. When you scale, is there a way to define the VM configuration, or a different VM definition that has it already defined? Or, steve: _"just step back and let you figure this out"_ :)

Create/scale/upgrade all result in the same thing: new nodes with a standard base image, which cannot be configured. The right solution here is a property on the node pool that automatically gets flowed down to its child nodes. I don't believe it should be that expensive, so basically yeah, step back. :)

@Karishma-Tiwari-MSFT at the company I work at we are looking into using Aqua (image scanning) in combination with Azure CR. It is nice that you can sign the images but doesn't prefend using (unsigned) images from other registries.
The documentation "You then only permit AKS to deploy signed images" makes it look like this option is possible in AKS. It would be nice to enforce signed images from ACR on AKS.

@bramvdklinkenberg
Thanks for the feedback! I have assigned the issue to the content author to investigate further and update the document as appropriate.

As this work is still on-going in AKS, the best practice recommendation has been removed from the docs to reduce confusion. When AKS natively supports Docker content trust, we'll update the docs accordingly.

@Karishma-Tiwari-MSFT For now, #please-close

Thanks @iainfoulds
@bramvdklinkenberg
Thanks for bringing this to our attention. We will now close this issue. If there are further questions regarding this matter, please tag me in a comment. I will reopen it and we will gladly continue the discussion.