All Products
Search
Document Center

Container Service for Kubernetes:kritis-validation-hook

Last Updated:Sep 06, 2024

kritis-validation-hook is a key component that is used to verify the signatures of container images. This topic describes the features, usage notes, and release notes for kritis-validation-hook.

Introduction

kritis-validation-hook is a key component that is used to verify the signatures of container images. You can use the signature verification feature to ensure that only images signed by trusted authorities are deployed. This reduces the risk of malicious code execution. For more information about kritis-validation-hook, see Introduction to kritis-validation-hook.

Usage notes

For more information about how to work with kritis-validation-hook, see Use kritis-validation-hook to automatically verify the signatures of container images.

Release notes

August 2024

Version number

Image address

Release date

Description

Impact

v0.11.0.0-gf0617391-aliyun

registry-cn-hangzhou.ack.aliyuncs.com/acs/kritis-server:v0.11.0.0-gf0617391-aliyun

2024-08-29

This version is in canary release.

  • Configuring RAM Roles for Service Accounts (RRSA) authentication during the installation and upgrade of the component is supported.

  • Signatures of images can be verified when you create and update StatefulSet, Job, CronJob and ReplicationController resources.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

July 2024

Version number

Image address

Release date

Description

Impact

v0.10.0.0-gde6f9437-aliyun

registry-cn-hangzhou.ack.aliyuncs.com/acs/kritis-server:v0.10.0.0-gde6f9437-aliyun

2024-07-04

  • Signatures of images used by ephemeral containers can be verified.

  • Signatures of images can be verified when you create and update Deployment, DaemonSet and ReplicaSet resources.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

April 2023

Version number

Image address

Release date

Description

Impact

v0.9.0.0-gb7aa45c7-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.9.0.0-gb7aa45c7-aliyun

2023-04-17

Kubernetes 1.26 is supported.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

August 2022

Version number

Image address

Release date

Description

Impact

v0.8.0.4-g61d3531e-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.8.0.4-g61d3531e-aliyun

2022-08-05

  • Signature verification in large-scale clusters is accelerated.

  • ACK Serverless clusters that run Kubernetes 1.22 are supported.

  • RRSA can be used to grant Resource Access Management (RAM) permissions to kritis-validation-hook. By default, ACK Serverless clusters use this method.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

December 2021

Version number

Image address

Release date

Description

Impact

v0.6.0.5-gce1cc2d-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.6.0.5-gce1cc2d-aliyun

2021-12-17

Kubernetes 1.22 is supported. v0.6.0.5-gce1cc2d-aliyun and later versions support only Kubernetes 1.16 and later.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

November 2021

Version number

Image address

Release date

Description

Impact

v0.5.0.6-g525daee-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.5.0.6-g525daee-aliyun

2021-11-15

  • A new image signature format is supported by Container Registry.

  • The ARM64 architecture is supported.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

June 2021

Version number

Image address

Release date

Description

Impact

v0.4.0.1-gb2862c4-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.4.0.1-gb2862c4-aliyun

2021-06-10

New feature: kritis-validation-hook can be installed in registered clusters.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

March 2021

Version number

Image address

Release date

Description

Impact

v0.3.1.4-ga89b624-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.3.1.4-ga89b624-aliyun

2021-03-24

New feature: The signatures of images stored in repositories whose names contain forward slashes (/) can be verified.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

November 2020

Version number

Image address

Release date

Description

Impact

v0.2.7.2-g5fa671a-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.7.2-g5fa671a-aliyun

2020-11-24

The signature verification whitelist feature is supported. kritis-validation-hook does not verify the signatures of images that are included in a signature verification whitelist.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

v0.2.6.4-g94b0940-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.6.4-g94b0940-aliyun

2020-11-16

New features: Signature verification is supported for Container Service for Kubernetes (ACK) images whose versions are immutable. For more information, see Configure a repository to be immutable.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

August 2020

Version number

Image address

Release date

Description

Impact

v0.2.5.26-g75d5297-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.5.26-g75d5297-aliyun

2020-08-12

  • If a container image fails to pass signature verification, a cluster event is generated in the kube-system namespace. The cause of the event is FailedKritisAdmission.

  • The dry run mode is supported. By default, this mode is disabled.

    If the dry run mode is enabled, container images that fail to pass signature verification can be deployed. If an image that fails to pass signature verification is deployed, a cluster event is generated in the kube-system namespace. The cause of the event is DryRunKritisAdmission.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

June 2020

Version number

Image address

Release date

Description

Impact

v0.2.4.1-ge5c1265-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.4.1-ge5c1265-aliyun

2020-06-22

The signatures of Container Registry images stored in regions other than the current region can be verified.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

April 2020

Version number

Image address

Release date

Description

Impact

v0.2.3.1-00e70883-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.3.1-00e70883-aliyun

2020-04-07

Performance is improved and log content is optimized.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

March 2020

Version number

Image address

Release date

Description

Impact

v0.2.2.3-fe8a6319-aliyun

registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.2.3-fe8a6319-aliyun

2020-03-18

kritis-validation-hook is integrated with Container Registry. You can verify the signatures of images that are signed by Key Management Service (KMS). This ensures that only trusted images are deployed in ACK clusters.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.