Configure a signature rule for automatic image signing - Container Registry

Prerequisites

Before you begin, ensure that you have:

A Container Registry Enterprise Edition instance (Advanced Edition) — Image signing requires the Advanced Edition tier. For setup instructions, see Create a Container Registry Enterprise Edition instance.
Key Management Service (KMS) activated — KMS provides the asymmetric keys used to sign images. For setup instructions, see Activate KMS.

Create asymmetric keys

Image signing uses asymmetric key algorithms. Create a KMS key of type EC or RSA with the purpose set to SIGN/VERIFY.

Log on to the KMS console.
In the top navigation bar, select the region where you want to create keys.
In the left-side navigation pane, click Keys, then click Create Key.
In the Create Key dialog box, set the key type to EC or RSA and set the Purpose parameter to SIGN/VERIFY, then click OK. For details on other parameters, see Create a CMK.

Authorize Container Registry to access KMS keys

Container Registry needs permission to read your asymmetric keys for signing. Configure this access using a Resource Access Management (RAM) role with a custom policy.

Create the RAM role

Log on to the RAM console.
In the left-side navigation pane, choose Identities > Roles.
On the Roles page, click Create Role.
On the Create Role page, set Principal Type to Cloud Account, specify your Alibaba Cloud account, then click OK.
In the Create Role dialog box, set Role Name to AliyunContainerRegistryKMSRole, then click OK.

Update the trust policy

On the Roles page, search for AliyunContainerRegistryKMSRole and click the role name.
Click the Trust Policy tab, then click Edit Trust Policy.

Replace the policy content with the following, then click OK:

{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}

Create and attach the permission policy

In the left-side navigation pane of the RAM console, choose Permissions > Policies.
On the Policies page, click Create Policy.

On the Create Policy page, click the JSON tab and enter the following policy. Replace ${region} and ${accountid} with your actual region and account ID.

{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "acs:kms:${region}:${accountid}:*"
        }
    ],
    "Version": "1"
}

Click OK. In the Create Policy dialog box, set Policy Name to AliyunContainerRegistryKMSRolePolicy and configure the Description, then click OK.
In the left-side navigation pane, choose Identities > Roles. Find AliyunContainerRegistryKMSRole and click Add Permissions in the Actions column.
In the Add Permissions panel, select Custom Policy as the policy type, find and select AliyunContainerRegistryKMSRolePolicy, then click OK.

Configure a witness and a signature verification policy

A witness links your KMS keys to the Container Registry signing workflow. Optionally, associate the witness with an ACK cluster to enforce signature verification at deployment time.

Log on to the Cloud Security Center console.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Signature. On the Container Signature page, click the Witness tab, then click create a witness.
Create a witness and associate it with the KMS keys you created. These keys are used for image signing.
(Optional) Create a signature verification policy to associate the witness with a Container Service for Kubernetes (ACK) cluster. For details, see Use the container signature feature.

Configure a signing rule

A signing rule defines which images get signed and how. After you create a rule, Container Registry automatically signs every new image pushed to the specified namespace.

Note

A signing rule applies only to images pushed after the rule is created. Existing images in the namespace are not signed.

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the Enterprise Edition instance you want to manage.
In the left-side navigation pane, choose Security and Trust > Image Signature, then click Create a signature rule.
In the Key Configuration step, select the witness you created in Cloud Security Center and associate it with the KMS keys, then click Next.

In the Signature Configurations step, configure the following parameters, then click Create Signing Rule.

Parameter	Description
Algorithms	The algorithm used to sign images. Valid values: RSA_PSS_SHA_256 and RSA_PKCS1_SHA_256.
Scope	The namespace whose images are automatically signed.
Signature types	Default: Signs both image digests and tags. Use this for signature verification within the same instance. Simple: Signs image digests only (not tags). Use this for cross-instance image replication scenarios where tags may change.
Trigger Type	How image signing is triggered. The default value is Automatic Trigger, which signs images whenever they are pushed to Container Registry.

Verify image signatures

Use kritis-validation-hook to verify container image signatures in ACK clusters. kritis-validation-hook can automatically block image deployment if signature verification fails. For setup instructions, see Introduction to kritis-validation-hook.

Alternatively, use the signature verification feature of KMS to verify image signatures directly in Container Registry.

Limitations

Limitation	Details
New images only	Signing rules apply only to images pushed after the rule is created. Images already in the namespace are not signed.

What's next

Use the container signature feature — Set up a signature verification policy to enforce signed images on ACK clusters.
Introduction to kritis-validation-hook — Deploy kritis-validation-hook to automatically block unsigned images from running.