Alibaba Cloud Container Registry supports image signing to ensure image consistency from distribution to deployment, prevent man-in-the-middle attacks, and prevent unauthorized image updates or deployment. Container Registry supports automatic image signing by namespace. Every time an image is pushed to Container Registry, Container Registry automatically signs the image based on the matched signature rule. This ensures that your container images are trustworthy.

Prerequisites

Key Management Service (KMS) is activated. For more information, see Activate KMS.

Create asymmetric keys

  1. Log on to the .
  2. In the KMS console, click Create Key and set the parameters to create a key.
    Note The image signing feature is implemented based on asymmetric key algorithms. When you create the KMS key, select an EC or RSA key type and set Purpose to SIGN/VERIFY.

Authorize Container Registry to use KMS keys

To allow Container Registry to read asymmetric keys under your account, configure a policy in Resource Access Management (RAM) by following these steps:

  1. Log on to the RAM console.
  2. In the left-side navigation pane, click RAM Roles.
  3. On the page that appears, click Create RAM Role. In the dialog box that appears, select Alibaba Cloud Account and then click Next.
  4. Enter AliyunContainerRegistryKMSRole in the RAM Role Name field.
    Note This role is dedicated for Container Registry to read asymmetric keys under your account.
  5. After the AliyunContainerRegistryKMSRole role is created, find it on the RAM Roles page and click the role name to manage the trust policy of this role.
  6. On the details page of the role, click the Trust Policy Management tab and then click Edit Trust Policy.

    Modify the trust policy as follows:

    {
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Principal": {
                    "Service": [
                        "cr.aliyuncs.com"
                    ]
                }
            }
        ],
        "Version": "1"
    }
  7. In the left-side navigation pane, choose Permissions > Policies. On the page that appears, click Create Policy and create a permission policy named AliyunContainerRegistryKMSRolePolicy.

    This policy allows Container Registry to read asymmetric keys. A sample policy is shown as follows:

    {
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "kms:*"
                ],
                "Resource": "acs:kms:region:account:*"
            }
        ],
        "Version": "1"
    }
  8. In the left-side navigation pane, click RAM Roles. In the role list, find the AliyunContainerRegistryKMSRole role.
  9. Click Add Permissions in the Actions column.
  10. Select Custom Policy from the Select Policy drop-down list, select the AliyunContainerRegistryKMSRolePolicy policy, and then click OK.

Configure an authenticator and a verification policy

  1. Log on to the Security Center console.
  2. In the left-side navigation page, choose Operation > Container Signature. On the page that appears, create an authenticator and associate it with the KMS key for image signing.
  3. Optional. Create a verification policy to associate the authenticator with the target Container Service for Kubernetes cluster. For more information, see Container signature.

Configure a signature rule for automatic image signing

  1. Log on to the console of Container Registry Enterprise Edition. In the left-side navigation pane, choose Content Trust > Image Signature. On the page that appears, click Create a signature rule.
  2. Set the parameters and click OK.
    Parameter Description
    Algorithms The algorithm used to sign images. Valid values: RSA_PSS_SHA_256 and RSA_PKCS1_SHA_256.
    Signature Key The key used to sign images. Select the KMS key associated with the authenticator created in the Security Center console.
    Scope The namespace in which images are signed automatically.
    Trigger Type The mode in which image signing is triggered. The default value is Automatic Trigger, indicating that image signing is automatically triggered for each image that is pushed to Container Registry.
    Note A signature rule only applies to new images pushed to the specified namespace. Existing images will not be signed based on the signature rule.

Verify image signatures

Use kritis-validation-hook to verify signatures of container images. For more information, see kritis-validation-hook introduction.

Note
  • You can use kritis-validation-hook to automatically verify image signatures in Container Service for Kubernetes clusters. You can set a policy to block image deployment if image signatures fail the verification. We recommend that you use this method.
  • You can also verify image signatures in Container Registry by using the signature verification feature of Key Management Center.