The container signature feature supports signing container images and verifying container
image signatures. This feature ensures that only trusted images are deployed and prevents
unauthorized images from starting. This helps you improve asset security.
Prerequisites
Complete the following operations before you use container signature.
- Make sure that you have created a Key Management Service (KMS) key based on the asymmetric
encryption algorithm.
For more information about how to create a KMS key, see Create a CMK.
Note Only the asymmetric encryption algorithm supports the container signature feature.
When you create a KMS key, set
Key Spec to
RSA_2048 and set
Purpose to
SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see
Cryptographic algorithms.
- You have created a Kubernetes cluster in the China (Hong Kong) region and installed
kritis-validation-hook components in the cluster.
Note Currently, only Kubernetes clusters deployed in the China (Hong Kong) region support
the container signature feature.
For more information about how to create a Kubernetes cluster, see Create a Kubernetes cluster.
For more information about kritis-validation-hook components, see kritis-validation-hook introduction.
- If this is your first time using container signature, you must grant Security Center
the required permission to access relevant services.
Limits
Only the Enterprise edition of Security Center supports container signature. If you
are using the Basic or Advanced edition, you must upgrade to the Enterprise edition
to use container signature.
Procedure
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- Choose to create a witness.
If you have already created a witness, skip this step and perform step 4.
On the Witness tab, click Create a witness and set the parameters. Click OK to complete creating a witness.
The following table lists the descriptions of the parameters.
| Parameter |
Description |
| Witness |
When you configure the security policy for container signature, you need to select
a witness to authorize your target container. We recommend that you enter a name that
is easy to identify.
|
| Select a certificate |
Select the KMS key that you have created from the certificate list.
Note Only the asymmetric encryption algorithm supports the container signature feature.
When you create a KMS key, set Key Spec to RSA_2048 and set Purpose to SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see Cryptographic algorithms.
|
| Description |
Enter remarks for the witness. |
- Create a security policy.
On the Security Policy tab, click Add Policy and set the parameters. After that, click OK to complete creating a policy.
The following table lists the descriptions of the parameters.
| Parameter |
Description |
| Policy Name |
When you configure the security policy for container signature, you must select a
witness to authorize your target cluster.
We recommend that you enter a name that is easy to identify.
|
| Witness |
Select a witness that you have created from the witness list.
For more information, see Step 3.
|
| Application Cluster |
After you select the cluster group that needs to use container signature, select the
target Cluster Namespace.
|
| Policy Enabled |
After you create a policy, turn on the status switch to enable the policy.
Note By default, the policy is disabled. If the policy is disabled, it does not take effect.
|
| Remarks |
Enter remarks for the policy. |
What to do next
After you create and enable the security policy for container signature, container
images with the enabled security policy are labeled as Trusted Image.
Note Currently, the feature that displays trusted signature labels is not available, but
it will be available soon.