This topic describes how to use Alibaba Cloud Container Registry (ACR), Key Management Service (KMS), Security Center, and kritis-validation-hook to enable automatic signature verification for container images. This ensures that only container images that are signed by trusted authorities are deployed. This reduces the risks of malicious code execution in your environment.

Step 1: Install kritis-validation-hook

  1. Log on to the ACK console.
  2. In the left-side navigation pane, choose Clusters > Clusters.
  3. On the Clusters page, find the target cluster and click Manage in the Actions column.
  4. In the left-side navigation pane, click Add-ons.
  5. On the Add-ons page, navigate to the Optional Add-ons section, find kritis-validation-hook, and click Install in the Actions column.
    kritis

Step 2: Create a key in the KMS console

  1. Log on to the KMS console.
  2. In the upper-left corner of the Keys page, click Create Key.
  3. In the Create Key dialog box, set Alias Name and Description.
Notice Select RSA_2048 for Key Spec and select SIGN/VERIFY for Purpose.
  1. Click Advanced and specify Key Material Source.
    • Alibaba Cloud KMS: Use KMS to generate key material.
    • External: Import key material from an external source. For more information about how to import key material, see Import and delete key material.
      Note If you select External, you must also select I understand the implications of using the external key materials key.
  2. Click OK.

Step 3: Create a witness in the Security Center console.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Container Signature.
  3. On the Witness tab, click Create Witness.
    Specify the witness information. For more information, see Container signature.
  4. Click OK.

Step 4: Enable image signing in ACR

  1. Log on to the Container Registry console.
  2. In the left-side navigation pane, choose Enterprise Instances > Instances.
  3. On the Instances page, find the target enterprise instance, and click the instance name or click Manage in the Actions column.
  4. In the left-side navigation pane of the Manage page, choose Repositories > Namespaces.
    Create a namespace and enable image signing for images in the namespace. For more information, see Basic operations on a namespace.
  5. Enable image signing for the created namespace.

    When you create signature signing rules, select the witness that is created in step 3.

    1. In the left-side navigation pane, choose Content Trust > Image Signature.
    2. On the Image Signature page, click Create Signature Rule.
      For more information about how to configure signature signing rules, see Configure a signature rule for automatic image signing.ACR signature

Step 5: Enable signature verification in Security Center

To enable signature verification for a namespace, add and enable a security policy for the target cluster in the Security Center console.

  1. Log on to the Security Center console.
  2. In the left-side navigation pane, choose Precaution > Container Signature.
  3. On the Security Policy tab, click Add Policy.
    For more information about how to add a security policy, see Create a security policy.Signature verification
  4. Click OK.

Step 6: Check whether signature verification is enabled

Note Currently, only images in the digest format are supported.

Run the following command to check whether signature verification is enabled:

  • After signature verification is enabled for the default namespace, unsigned images are not allowed to be deployed in the namespace.
    # Specify an image by tag
    $ kubectl -n default create deployment not-sign --image=alpine:3.11 -- sleep 10
    Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attested
    
    # Specify an image by digest
    $ kubectl -n default create deployment not-sign --image=alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10
    Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 is not attested
  • Push an image to a namespace where image signature signing is enabled, and verify that the image can be deployed after it is signed.
    $ docker push kritis-demo-registry-vpc.cn-hongkong.cr.aliyuncs.com/kritis-demo/alpine:3.11
    The push refers to repository [kritis-demo-registry-vpc.cn-hongkong.cr.aliyuncs.com/kritis-demo/alpine]
    5216338b40a7: Pushed
    3.11: digest: sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 size: 528
    
    # Accept requests for deploying signed images
    $ kubectl -n default create deployment is-signed --image=kritis-demo-registry-vpc.cn-hongkong.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10
    deployment.apps/is-signed created