The container signature feature supports signing container images and verifying container image signatures. This feature ensures that only trusted images are deployed and prevents unauthorized images from starting. This helps you improve asset security.

Prerequisites

Complete the following operations before you use container signature.
  • Make sure that you have created a Key Management Service (KMS) key based on the asymmetric encryption algorithm.

    For more information about how to create a KMS key, see Create a CMK.

    Note Only the asymmetric encryption algorithm supports the container signature feature. When you create a KMS key, set Key Spec to RSA_2048 and set Purpose to SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see Cryptographic algorithms.
  • You have created a Kubernetes cluster in the China (Hong Kong) region and installed kritis-validation-hook components in the cluster.
    Note Currently, only Kubernetes clusters deployed in the China (Hong Kong) region support the container signature feature.

    For more information about how to create a Kubernetes cluster, see Create a Kubernetes cluster.

    For more information about kritis-validation-hook components, see kritis-validation-hook introduction.

  • If this is your first time using container signature, you must grant Security Center the required permission to access relevant services.

Limits

Only the Enterprise edition of Security Center supports container signature. If you are using the Basic or Advanced edition, you must upgrade to the Enterprise edition to use container signature.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Operation > Container Signature.
  3. Choose Container Signature > Witness to create a witness.
    If you have already created a witness, skip this step and perform step 4.

    On the Witness tab, click Create a witness and set the parameters. Click OK to complete creating a witness.

    The following table lists the descriptions of the parameters.

    Parameter Description
    Witness When you configure the security policy for container signature, you need to select a witness to authorize your target container. We recommend that you enter a name that is easy to identify.
    Select a certificate Select the KMS key that you have created from the certificate list.
    Note Only the asymmetric encryption algorithm supports the container signature feature. When you create a KMS key, set Key Spec to RSA_2048 and set Purpose to SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see Cryptographic algorithms.
    Description Enter remarks for the witness.
  4. Create a security policy.

    On the Security Policy tab, click Add Policy and set the parameters. After that, click OK to complete creating a policy.

    The following table lists the descriptions of the parameters.

    Parameter Description
    Policy Name When you configure the security policy for container signature, you must select a witness to authorize your target cluster.

    We recommend that you enter a name that is easy to identify.

    Witness Select a witness that you have created from the witness list.

    For more information, see Step 3.

    Application Cluster After you select the cluster group that needs to use container signature, select the target Cluster Namespace.
    Policy Enabled After you create a policy, turn on the status switch to enable the policy.
    Note By default, the policy is disabled. If the policy is disabled, it does not take effect.
    Remarks Enter remarks for the policy.

What to do next

After you create and enable the security policy for container signature, container images with the enabled security policy are labeled as Trusted Image.
Note Currently, the feature that displays trusted signature labels is not available, but it will be available soon.