Alibaba Cloud Container Registry supports image signing to ensure image consistency
from distribution to deployment, prevent man-in-the-middle attacks, and prevent unauthorized
image updates or deployment. Container Registry supports automatic image signing by
namespace. Every time an image is pushed to Container Registry, Container Registry
automatically signs the image based on the matched signature rule. This ensures that
your container images are trustworthy.
Prerequisites
Key Management Service (KMS) is activated. For more information, see
Activate KMS.
Create asymmetric keys
- Log on to the .
- In the KMS console, click Create Key and set the parameters to create a key.
Note The image signing feature is implemented based on asymmetric key algorithms. When
you create the KMS key, select an EC or RSA key type and set Purpose to SIGN/VERIFY.
Authorize Container Registry to use KMS keys
To allow Container Registry to read asymmetric keys under your account, configure
a policy in Resource Access Management (RAM) by following these steps:
- Log on to the RAM console.
- In the left-side navigation pane, click RAM Roles.
- On the page that appears, click Create RAM Role. In the dialog box that appears, select
Alibaba Cloud Account and then click Next.
- Enter
AliyunContainerRegistryKMSRole
in the RAM Role Name field.
Note This role is dedicated for Container Registry to read asymmetric keys under your account.
- After the
AliyunContainerRegistryKMSRole
role is created, find it on the RAM Roles page and click the role name to manage
the trust policy of this role.
- On the details page of the role, click the Trust Policy Management tab and then click Edit Trust Policy.
Modify the trust policy as follows:
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": [
"cr.aliyuncs.com"
]
}
}
],
"Version": "1"
}
- In the left-side navigation pane, choose Permissions > Policies. On the page that
appears, click Create Policy and create a permission policy named
AliyunContainerRegistryKMSRolePolicy
.
This policy allows Container Registry to read asymmetric keys. A sample policy is
shown as follows:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"kms:*"
],
"Resource": "acs:kms:region:account:*"
}
],
"Version": "1"
}
- In the left-side navigation pane, click RAM Roles. In the role list, find the
AliyunContainerRegistryKMSRole
role.
- Click Add Permissions in the Actions column.
- Select Custom Policy from the Select Policy drop-down list, select the
AliyunContainerRegistryKMSRolePolicy
policy, and then click OK.
Configure an authenticator and a verification policy
- Log on to the Security Center console.
- In the left-side navigation page, choose . On the page that appears, create an authenticator and associate it with the KMS
key for image signing.
- Optional. Create a verification policy to associate the authenticator with the target
Container Service for Kubernetes cluster. For more information, see Container signature.
Configure a signature rule for automatic image signing
- Log on to the console of Container Registry Enterprise Edition. In the left-side navigation
pane, choose . On the page that appears, click Create a signature rule.
- Set the parameters and click OK.
Parameter |
Description |
Algorithms |
The algorithm used to sign images. Valid values: RSA_PSS_SHA_256 and RSA_PKCS1_SHA_256.
|
Signature Key |
The key used to sign images. Select the KMS key associated with the authenticator
created in the Security Center console.
|
Scope |
The namespace in which images are signed automatically. |
Trigger Type |
The mode in which image signing is triggered. The default value is Automatic Trigger,
indicating that image signing is automatically triggered for each image that is pushed
to Container Registry.
|
Note A signature rule only applies to new images pushed to the specified namespace. Existing
images will not be signed based on the signature rule.
Verify image signatures
Use kritis-validation-hook to verify signatures of container images. For more information,
see kritis-validation-hook introduction.
Note
- You can use kritis-validation-hook to automatically verify image signatures in Container
Service for Kubernetes clusters. You can set a policy to block image deployment if
image signatures fail the verification. We recommend that you use this method.
- You can also verify image signatures in Container Registry by using the signature
verification feature of Key Management Center.