All Products
Search
Document Center

Container Service for Kubernetes:Use kritis-validation-hook to automatically verify the signatures of container images

Last Updated:Sep 04, 2024

This topic describes how to use Container Registry, Key Management Service (KMS), Security Center, and kritis-validation-hook to automatically verify the signatures of container images. This allows you to deploy only container images that have been signed by trusted authorities. This also reduces the risk of malicious code execution in your environment.

Step 1: Install kritis-validation-hook

  1. Log on to the ACK console. In the left-side navigation pane, click Clusters.

  2. On the Clusters page, find the cluster that you want to manage and click its name. In the left-side navigation pane, choose Operations > Add-ons.

  3. On the Add-ons page, click the Security tab, find the kritis-validation-hook component, and then click Install.

  4. Authorize your cluster to run kritis-validation-hook.

    You must grant your cluster the permissions to run kritis-validation-hook. For more information, see Authorize a cluster to access resources.

Step 2: Create a key that is used to sign images in the KMS console

For more information about how to create a CMK, see Manage a key.

Important

When you create a key, set Key Spec to RSA_2048 and Purpose to Sign/Verify.

Step 3: Create a witness that uses the key in the Security Center console

  1. Log on to the Security Center console. In the top navigation bar, select the region of the asset that you want to manage. The following regions are supported: China and Outside China.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Signature.

  3. On the Witness tab, click Create a witness. After the configuration is complete, click OK.

    Parameter

    Description

    Witness

    Enter the name of the witness. When you configure a security policy, you must select a witness to enable the container signature feature for the required container. We recommend that you enter an informative name.

    Select a certificate

    Select the KMS CMK that you created from the certificate list.

    Description

    Enter the description of the witness.

Step 4: Enable image signing in Container Registry

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.

  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, find the Enterprise Edition instance that you want to manage and click the instance name or click Manage.

    Note

    To add an Enterprise Edition instance, click Create ACR EE and set Instance Type to Advanced.

  5. In the left-side navigation pane of the details page, choose Repository > Namespaces.

    Create a namespace and enable image signing for images in the namespace. For more information, see Manage namespaces.

  6. Enable image signing for the namespace that you created.

    When you create signature signing rules, select the witness that you created in Step 3.

    1. In the left-side navigation pane, choose Security and Trust > Image Signature.

    2. On the Image Signature tab, click Create a signature rule.

      For more information about how to configure signature signing rules, see Configure a signature rule for automatic image signing.

Step 5: Enable signature verification in Security Center

To enable signature verification for a namespace, add and enable a security policy for the cluster in the Security Center console.

  1. Log on to the Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Signature.

  3. On the Security Policy tab, click Add Policy. After you configure the parameters, click OK.

    Parameter

    Description

    Policy Name

    Enter the name of the security policy. When you configure a security policy, you must select a witness to enable the container feature for the required cluster.

    We recommend that you enter an informative name.

    Witness

    Select the witness that you created from the witness list.

    Application Cluster

    Select the cluster group for which you want to enable the container signature feature. Then, select the required Cluster Namespace.

    Policy Enabled

    Turn on the switch. The policy is automatically enabled after it is created.

    Note

    The switch is turned off by default. In this case, the policy does not take effect after it is created.

    Note

    Enter the description of the security policy.

Step 6: Check whether signature verification is enabled

Note

If the repository is not configured to be immutable, only images in digest format are supported. For more information about how to configure a repository to be immutable, see Configure a repository to be immutable.

Run the following command to check whether signature verification is enabled.

  • After signature verification is enabled for the default namespace, unsigned images cannot be deployed in the namespace.

    To specify an image by tag, run the following command:

    kubectl -n default create deployment not-sign --image=alpine:3.11 -- sleep 10
    Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attested

    To specify an image by digest, run the following command:

    kubectl -n default create deployment not-sign --image=alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10
    Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 is not attested
  • Push an image to a namespace where image signature signing is enabled. Then, verify that the image can be deployed after the image is signed.

    docker push kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine:3.11
    The push refers to repository [kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine]
    5216338b40a7: Pushed
    3.11: digest: sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 size: 528

    To accept requests to deploy signed images, run the following command:

    kubectl -n default create deployment is-signed --image=kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10
    deployment.apps/is-signed created

References