The container signature feature supports signing container images and verifying container image signatures. This feature ensures that only trusted images are deployed and prevents unauthorized images from starting. This reinforces your asset security.

Prerequisites

Complete the following operations before you use container signature.
  • Make sure that a Key Management Service (KMS) key is created based on the asymmetric encryption algorithm.

    For more information about how to create a KMS key, see Create a CMK.

    Note Only the asymmetric encryption algorithm supports the container signature feature. When you create a KMS key, set Key Spec to RSA_2048 and set Purpose to SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see Key-based cryptographic algorithms.
  • You have created a Kubernetes cluster in the China (Hong Kong) region and installed the kritis-validation-hook component in the cluster.
    Note Currently, only Kubernetes clusters that are deployed in the China (Hong Kong) region support the container signature feature.

    For more information about how to create a Kubernetes cluster, see Create an ACK cluster.

    For more information about the kritis-validation-hook component, see kritis-validation-hook introduction.

  • If this is your first time using container signature, you must grant Security Center the required permissions to access relevant services.Authorization

Limits

Only the Enterprise edition of Security Center supports container signature. To use container signature, you must upgrade the Basic, Basic Anti-Virus, or Advanced edition to the Enterprise edition.

Procedure

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Container Signature.
  3. Optional:Choose Container SignatureWitness to create a witness.
    If you have already created a witness, skip this step and go to step 4.

    On the Witness tab, click Create a witness, set the parameters, and then click OK.

    The following table describes the parameters.

    Parameter Description
    Witness When you configure a security policy for container signature, you must select a witness to authorize the target container. We recommend that you enter a name that is easy to identify.
    Select a certificate Select the KMS key that you have created from the certificate list.
    Note Only the asymmetric encryption algorithm supports the container signature feature. When you create a KMS key, set Key Spec to RSA_2048 and set Purpose to SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see Key-based cryptographic algorithms.
    Description Enter remarks for the witness.
  4. Create a security policy.

    On the Security Policy tab, click Add Policy, set the parameters, and then click OK.

    The following table describes the parameters.

    Parameter Description
    Policy Name When you configure the security policy for the container signature feature, you must select a witness to authorize your target cluster.

    We recommend that you enter a name that is easy to identify.

    Witness Select a witness that you have created from the witness list.

    For more information, see Step 3.

    Application Cluster After you select the cluster group that needs to use container signature, select the target Cluster Namespace.
    Policy Enabled Turn on this switch, and the policy is automatically enabled after it is created.
    Note By default, the policy is disabled. If the policy is disabled, it does not take effect.
    Remarks Enter remarks for the security policy.

What to do next

After you create and enable the security policy for container signature, a container image with the security policy enabled is labeled as Trusted Image.
Note Currently, the Trusted Image label is not displayed. The label display function is available soon.