The container signature feature supports signing container images and verifying container
image signatures. This feature ensures that only trusted images are deployed and prevents
unauthorized images from being started. This reinforces your asset security.
Prerequisites
- A Key Management Service (KMS) key is created based on the asymmetric encryption algorithm.
For more information about how to create a KMS key, see Create a CMK.
Notice Only asymmetric key algorithms support the container signature feature. When you create
a KMS key, set
Key Spec to
RSA_2048 and
Purpose to
Sign/Verify. For more information about the cryptographic algorithms supported by KMS, see
Key-based cryptographic algorithms.
- A Kubernetes cluster is created in the China (Hong Kong) region and the kritis-validation-hook
component is installed in the cluster.
Note Only Kubernetes clusters that are deployed in the China (Hong Kong) region support
the container signature feature.
For more information about how to create a Kubernetes cluster, see Create a dedicated Kubernetes cluster.
For more information about the kritis-validation-hook component, see kritis-validation-hook introduction.
- If this is the first time that you use the container signature feature, you must grant
Security Center the required permissions to access relevant Alibaba Cloud services.

Limits
Only the Enterprise edition of Security Center supports the container signature feature.
If you use the Basic, Basic Anti-Virus, or Advanced edition, you must upgrade Security
Center to the Enterprise edition to use the container signature feature.
Procedure
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- Optional:On the Container Signature page, click the Witness tab to create a witness.
If you have created a witness, skip this step and go to Step 4.
On the Witness tab, click Create a witness. In the panel that appears, configure the parameters and click OK.
The following table describes the parameters.
Parameter |
Description |
Witness |
When you configure a security policy for the container signature feature, you must
select a witness to authorize the required container. We recommend that you create
an identifiable name.
|
Select a certificate |
Select the KMS key that you created from the certificate list.
Notice Only asymmetric key algorithms support the container signature feature. When you create
a KMS key, set Key Spec to RSA_2048 and Purpose to Sign/Verify. For more information about the cryptographic algorithms supported by KMS, see Key-based cryptographic algorithms.
|
Description |
Enter the description of the witness. |
- Create a security policy.
On the Security Policy tab, click Add Policy. In the panel that appears, configure the parameters and click OK.
The following table describes the parameters.
Parameter |
Description |
Policy Name |
When you configure a security policy for the container signature feature, you must
select a witness to authorize the required cluster.
We recommend that you create an identifiable name.
|
Witness |
Select the witness that you created from the witness list.
For more information about how to create a witness, see Step 3.
|
Application Cluster |
After you select the cluster group for which you want to enable the container signature
feature, select the required Cluster Namespace.
|
Policy Enabled |
Turn on this switch. The policy is automatically enabled after it is created.
Note The switch is turned off by default. As a result, the policy does not take effect.
|
Note |
Enter the description of the security policy. |
What to do next
After you create and enable a security policy for the container signature feature,
a container image that has the security policy enabled is labeled as Trusted Image.