All Products
Search
Document Center

Container Registry:Sign container images

Last Updated:Aug 07, 2023

Container Registry supports image signing. This feature prevents man-in-the-middle (MITM) attacks, and prevents unauthorized image updates or deployment. This way, image consistency can be ensured from distribution to deployment. Container Registry can automatically sign images in specific namespaces. After an image is pushed to Container Registry, Container Registry automatically signs the image based on the matched signing rules. This ensures that your container images are trusted.

Prerequisites

Create asymmetric keys

  1. Log on to the KMS console.

  2. In the top navigation bar, select the region in which you want to create keys.

  3. In the left-side navigation pane, click Keys. On the page that appears, click Create Key.

  4. In the Create Key dialog box, configure parameters and click OK.

    The image signing feature is implemented based on asymmetric key algorithms. When you create the KMS key, select the EC or RSA key type and set the Purpose parameter to SIGN/VERIFY. For more information about other parameters, see Create a CMK.

Authorize Container Registry to use KMS keys

To allow Container Registry to read asymmetric keys within your account, configure a policy in Resource Access Management (RAM).

  1. Log on to the RAM console.

  2. In the left-side navigation pane, choose Identities > Roles.

  3. On the Roles page, create a RAM role named AliyunContainerRegistryKMSRole.

    1. On the Roles page, click Create Role.

    2. In the Select Role Type step of the Create Role wizard, select Alibaba Cloud Account as the trusted entity type and then click Next.

    3. In the Configure Role step, set RAM Role Name to AliyunContainerRegistryKMSRole, select a trusted Alibaba Cloud account, and then click OK.

  4. Modify the trust policy.

    1. On the Roles page, find AliyunContainerRegistryKMSRole in the Role Name column and click AliyunContainerRegistryKMSRole.

    2. Click the Trust Policy Management tab and then click Edit Trust Policy.

    3. In the Edit Trust Policy panel, modify the trust policy and click OK.

      {
          "Statement": [
              {
                  "Action": "sts:AssumeRole",
                  "Effect": "Allow",
                  "Principal": {
                      "Service": [
                          "cr.aliyuncs.com"
                      ]
                  }
              }
          ],
          "Version": "1"
      }
  5. Create a AliyunContainerRegistryKMSRolePolicy policy.

    1. In the left-side navigation pane of the RAM console, choose Permissions > Policies.

    2. On the Policies page, click Create Policy.

    3. On the Create Policy page, click the JSON tab, enter the policy document in the code editor, click Next to edit policy information. On the page that appears, set the policy name to AliyunContainerRegistryKMSRolePolicy, and then click OK.

      Note

      You need to replace region and accountid in the following code based on your business requirements.

      {
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": [
                      "kms:*"
                  ],
                  "Resource": "acs:kms:${region}:${accountid}:*"
              }
          ],
          "Version": "1"
      }
  6. In the left-side navigation pane, choose Identities > Roles. In the role list, find the AliyunContainerRegistryKMSRole role.

  7. Click Add Permissions in the Actions column corresponding to the role.

  8. In the Add Permissions panel, select Custom Policy as the policy type, find and select AliyunContainerRegistryKMSRolePolicy, and then click OK to add the custom policy.

Configure a witness and a signature verification policy

  1. Log on to the Cloud Security Center console.

  2. In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Signature. On the Container Signature page, click the Witness tab, and then click "create a witness" to create a witness and associate the witness with the KMS keys that you created. The KMS keys are used for image signing.

  3. Optional. Create a signature verification policy to associate the witness with the corresponding Container Service for Kubernetes (ACK) cluster. For more information, see Use the container signature feature.

Configure a signature rule for automatic image signing

  1. Log on to the Container Registry console.

  2. In the top navigation bar, select a region.
  3. In the left-side navigation pane, click Instances.

  4. On the Instances page, click the Enterprise Edition instance that you want to manage.
  5. On the management page of the Container Registry Enterprise Edition instance, choose Security and Trust > Image Signature in the left-side navigation pane. Click Create a signature rule.

  6. In the Key Configuration step, select the witness that you created in the Cloud Security Center console and associate it with the KMS keys. Click Next.

  7. In the Signature Configurations step, configure parameters and click Create Signing Rule.

    Note

    A signature rule applies only to new images that are pushed to the specified namespace. Existing images are not signed based on the signature rule.

    • Algorithms: the algorithm that is used to sign images. Valid values: RSA_PSS_SHA_256 and RSA_PKCS1_SHA_256.

    • Scope: the scope of the images that need to be automatically signed. You can select a namespace.

    • Signature types:

      • Default: Image digests and tags are signed. The default mode is suitable for the signing of images in the current instance.

      • Simple: Only image digests are signed. Image tags are not signed. The simple mode is suitable for cross-instance image replication scenarios. The signatures of corresponding images are verified when image tags change.

    • Trigger Type: the mode in which image signing is triggered. The default value is Automatic Trigger, which indicates that image signing is automatically triggered whenever an image is pushed to Container Registry.

Verify image signatures

Use kritis-validation-hook to verify signatures of container images. For more information, see Introduction to kritis-validation-hook.

Note
  • You can use kritis-validation-hook to automatically verify image signatures in ACK clusters. You can set a policy to block image deployment if image signatures fail the verification. We recommend that you use this method.

  • You can also verify image signatures in Container Registry by using the signature verification feature of KMS.