kritis-validation-hook is a key component that is used to verify image signatures. This topic describes the features, usage notes, and release notes for kritis-validation-hook.

Introduction

kritis-validation-hook is a key component that is used to verify image signatures. You can use signature verification to ensure that only images signed by trusted authorities are deployed. This reduces the risk of malicious code execution. For more information about kritis-validation-hook, see Introduction to kritis-validation-hook.

Usage notes

For more information about how to use kritis-validation-hook, see Use kritis-validation-hook to automatically verify the signatures of container images.

Release notes

November 2021

Version Image address Release date Description Impact
v0.5.0.6-g525daee-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.5.0.6-g525daee-aliyun 2021-11-15 This image version is in canary release.
  • The new digital image signature format of Container Registry is supported.
  • The ARM64 architecture is supported.
If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.

June 2021

Version Image address Release date Description Impact
v0.4.0.1-gb2862c4-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.4.0.1-gb2862c4-aliyun 2021-06-10 New feature: kritis-validation-hook can be installed in registered Kubernetes clusters. If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.

March 2021

Version Image address Release date Description Impact
v0.3.1.4-ga89b624-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.3.1.4-ga89b624-aliyun 2021-03-24 New features: Images from repositories whose names contain forward slashes (/) are supported. If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.

November 2020

Version Image address Release date Description Impact
v0.2.7.2-g5fa671a-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.7.2-g5fa671a-aliyun 2020-11-24 The image verification whitelist feature is supported. When kritis-validation-hook verifies image signatures, the signatures of the images that are included in the whitelist are not verified. If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.
v0.2.6.4-g94b0940-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.6.4-g94b0940-aliyun 2020-11-16 New features: Signature verification is supported for Container Service for Kubernetes (ACK) images whose image versions are immutable. For more information, see Configure a repository to be immutable. If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.

August 2020

Version Image address Release date Description Impact
v0.2.5.26-g75d5297-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.5.26-g75d5297-aliyun 2020-08-12
  • If a container image fails to pass the signature verification, a cluster event is generated in the kube-system namespace. The cause of this failure is FailedKritisAdmission.
  • The dry run mode is supported. By default, this mode is disabled.

    When the dry run mode is enabled, container images that fail to pass the signature verification can be deployed. If an image that fails to pass the signature verification is deployed, a cluster event is generated in the kube-system namespace. The cause of this event is DryRunKritisAdmission.

If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.

June 2020

Version Image address Release date Description Impact
v0.2.4.1-ge5c1265-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.4.1-ge5c1265-aliyun 2020-06-22 Signature verification is supported for signed Container Registry images used across regions. If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.

April 2020

Version Image address Release date Description Impact
v0.2.3.1-00e70883-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.3.1-00e70883-aliyun 2020-04-07 Program performance is improved and log content is optimized. If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.

March 2020

Version Image address Release date Description Impact
v0.2.2.3-fe8a6319-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.2.3-fe8a6319-aliyun 2020-03-18 kritis-validation-hook is integrated with Container Registry. You can verify the signatures of Key Management Service (KMS)-signed images. This allows you to make sure that only trusted images are deployed in ACK clusters. If exceptions occur during the component upgrade, changes to cluster resources may fail. We recommend that you perform the upgrade during off-peak hours.