Adding image id for verification of task being launched

[anuragagarwal561994]

I was trying to build something similar but in general instead of verifying from the orchestrator whether a task has been launched with the given name, I was trying to use the image id of the container being launched.

If the two can be combined:

1. If the given service or task has been launched
2. The task has been launched with the given image id

Then it would be more secure to deliver correct secrets to correct containers. Which secrets are to be delivered usually depends on the image and suppose if a task with the same name is launched with different image the secrets can be restricted to be available.

This approach might introduce some more work from the side of the secrets manager because every time an image is updated the image id will change and so the person has to change the vault configuration but this will also prevent leaking secrets into containers that no longer requires it.

Or at least this can be controlled via a flag so that in development mode one can avoid changing the image ids time and again.

[nemosupremo]

In the current version of Gatekeeper, you can use the --use-image-name option to have your policy names be defined by the docker image running in the task. For example with a policy file such as:

{
	"mesos:myorg/myimage:v1":{
		"roles":["sample"],
		"num_uses":1
	}
}

you can limit tokens to only the myorg/myimage:v1 image. Or you can go broader with something like:

{
	"mesos:myorg/myimage:*":{
		"roles":["sample"],
		"num_uses":1
	}
}

which will deliver a token to any myorg/myimage of any version.