ACR provides cloud-native delivery chain to deploy only trusted containers in Cloud. With the cloud-native delivery chain, you can configure block policy to automatic block risky images to deploy. Besides, you can require images to be signed based on your own key during the development process and then enforce signature validation when deploying.

Image Scanning

With the cloud-native delivery chain, Container Registry can automatically scan the new container images after they're uploaded. If the image meets conditions defined in the chain blocking policy, the system will automatically block the risky images to deploy. Otherwise, the system proceeds with follow-up steps. The chain with image security policy guarantees that images are safe enough to deploy.

Image Signature

Create an asymmetric key

Create an asymmetric key in KMS. Becuase only the asymmetric key support image signature, you should choose EC or RSA for key type and SIGN or VERIFY for key usage.

Create signature rule

  1. Authorize ACR to use your KMS key.
    • In order to enable ACR to obtain the asymmetric key under your account for image signature. You need to configure the following ram strategy in your account.
    • Create AliyunContainerRegistryKMSRole RAM role and related to trust strategy. The role is specially used for ACR to read the asymmetric key under your account. The trust strategy is shown as below.
      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "cr.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
    • Create AliyunContainerRegistryKMSRolePolicy policy which allows obtain your asymmetric key. Add AliyunContainerRegistryKMSRolePolicy to the AliyunContainerRegistryKMSRole RAM role. The trust policy is shown as below.
      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "kms:*"
                  ],
                  "Resource": "acs:kms:region:account:*"
              }
          ],
          "Version": "1"
      }
  2. Configure the certifier and signature verification strategy.
    1. Create verification strategy in Security Center.
    2. Create certifier (AAName) and associate the AAName with your asymmetric key in KMS.
    3. Optional: Create the signature verification strategy and associate the certifier with the corresponding ACK cluster.
  3. Configure the image signature rule.
    1. In the ACR EE console, click Image signature. Click image signature creation.
    2. We provide RSA_PSS_SHA_256 and RSA_PKCS1_SHA_256 signing algorithm. Choose the one algorithm you need.
    3. Choose the signing key. Now you can choose the certifier (AAName) which is related to the KMS Key.
    4. Signing scope: We supports sign image based on namespace level. Select the namespace you want to be automated signed.
    5. Automated signing by default. Each time you push the image, the image will be automated signed by your signature rule.
      Note After setting the signature rule, we only sign the newly uploaded images under the namespace. The existing image will not be signed.

Define container deployment policy

Secure Center provides the related deployment policy to enforce signature validation when deploying for guaranteeing authenticity and provenance.

Block unsigned images to deploy

  • Recommended: Supports kritis-validation-hook on your ACK clusters to automated verify image signatures and prevent unsigned images from being deployed.
  • Supports client-side verification based on KMS.