The container signature feature supports signing container images and verifying container
image signatures. This feature ensures that only trusted images are deployed and prevents
unauthorized images from starting. This reinforces your asset security.
Prerequisites
Complete the following operations before you use container signature.
- Make sure that a Key Management Service (KMS) key is created based on the asymmetric
encryption algorithm.
For more information about how to create a KMS key, see Create a CMK.
Note Only the asymmetric encryption algorithm supports the container signature feature.
When you create a KMS key, set
Key Spec to
RSA_2048 and set
Purpose to
SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see
Key-based cryptographic algorithms.
- You have created a Kubernetes cluster in the China (Hong Kong) region and installed
the kritis-validation-hook component in the cluster.
Note Currently, only Kubernetes clusters that are deployed in the China (Hong Kong) region
support the container signature feature.
For more information about how to create a Kubernetes cluster, see Create an ACK cluster.
For more information about the kritis-validation-hook component, see kritis-validation-hook introduction.
- If this is your first time using container signature, you must grant Security Center
the required permissions to access relevant services.
Limits
Only the Enterprise edition of Security Center supports container signature. To use
container signature, you must upgrade the Basic, Basic Anti-Virus, or Advanced edition
to the Enterprise edition.
Procedure
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- Optional:Choose Witness to create a witness.
If you have already created a witness, skip this step and go to step 4.
On the Witness tab, click Create a witness, set the parameters, and then click OK.
The following table describes the parameters.
| Parameter |
Description |
| Witness |
When you configure a security policy for container signature, you must select a witness
to authorize the target container. We recommend that you enter a name that is easy
to identify.
|
| Select a certificate |
Select the KMS key that you have created from the certificate list.
Note Only the asymmetric encryption algorithm supports the container signature feature.
When you create a KMS key, set Key Spec to RSA_2048 and set Purpose to SIGN/VERIFY. For more information about the asymmetric encryption algorithm, see Key-based cryptographic algorithms.
|
| Description |
Enter remarks for the witness. |
- Create a security policy.
On the Security Policy tab, click Add Policy, set the parameters, and then click OK.
The following table describes the parameters.
| Parameter |
Description |
| Policy Name |
When you configure the security policy for the container signature feature, you must
select a witness to authorize your target cluster.
We recommend that you enter a name that is easy to identify.
|
| Witness |
Select a witness that you have created from the witness list.
For more information, see Step 3.
|
| Application Cluster |
After you select the cluster group that needs to use container signature, select the
target Cluster Namespace.
|
| Policy Enabled |
Turn on this switch, and the policy is automatically enabled after it is created.
Note By default, the policy is disabled. If the policy is disabled, it does not take effect.
|
| Remarks |
Enter remarks for the security policy. |
What to do next
After you create and enable the security policy for container signature, a container
image with the security policy enabled is labeled as Trusted Image.
Note Currently, the Trusted Image label is not displayed. The label display function is
available soon.