This topic describes how to use Container Registry, Key Management Service (KMS), Security Center, and kritis-validation-hook to automatically verify the signatures of container images. This allows you to deploy only container images that have been signed by trusted authorities. This also reduces the risk of malicious code execution in your environment.
Step 1: Install kritis-validation-hook
- Log on to the Container Service for Kubernetes (ACK) console.
- In the left-side navigation pane, click Clusters.
- On the Clusters page, find the cluster that you want to manage and click Details in the Actions column.
- In the left-side navigation pane, choose .
- In the Optional Add-ons section of the Add-ons page, find kritis-validation-hook and click Install in the Actions column of the add-on.
- Optional:Authorize your cluster to run kritis-validation-hook.
If you want to run kritis-validation-hook in a managed Kubernetes cluster, you must grant the cluster the permissions to access related resources. For more information, see kritis-validation-hook introduction.Note By default, dedicated Kubernetes clusters are granted the permissions to run kritis-validation-hook.
Step 2: Create a key that is used to sign images in the KMS console
- Log on to the KMS console.
- In the upper-left corner of the Keys page, click Create Key.
- In the Create Key dialog box, set Alias Name and Description.
- Click Advanced and specify Key Material Source.
- Alibaba Cloud KMS: Use KMS to generate key material.
- External: Import key material from an external source. For more information about how to import
key material, see Import key material.
Note If you select External, you must also select I understand the implications of using the external key materials key.
- Click OK.
Step 3: Create a witness that uses the key in the Security Center console
Step 4: Enable image signing in Container Registry
- Log on to the Container Registry console.
- On the Instances page, find the Enterprise Edition instance that you want to manage and click the instance name or click Manage in the Actions column.
- In the left-side navigation pane of the Manage page, choose .Create a namespace and enable image signing for images in the namespace. For more information, see Basic operations on a namespace.
- Enable image signing for the created namespace.
When you create signature signing rules, select the witness that is created in Step 3.
- In the left-side navigation pane, choose .
- On the Image Signature page, click Create Signature Rule.For more information about how to configure signature signing rules, see Configure a signature rule for automatic image signing.
Step 5: Enable signature verification in Security Center
To enable signature verification for a namespace, add and enable a security policy for the cluster in the Security Center console.
Step 6: Check whether signature verification is enabled
Run the following command to check whether signature verification is enabled:
- After signature verification is enabled for the default namespace, unsigned images
cannot be deployed in the namespace.
To specify an image by tag, run the following command:
kubectl -n default create deployment not-sign --image=alpine:3.11 -- sleep 10
Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attestedTo specify an image by digest, run the following command:
kubectl -n default create deployment not-sign --image=alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10
Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 is not attested
- Push an image to a namespace where image signature signing is enabled, and verify
that the image can be deployed after the image is signed.
docker push kritis-demo-registry-vpc.cn-hongkong.cr.aliyuncs.com/kritis-demo/alpine:3.11
The push refers to repository [kritis-demo-registry-vpc.cn-hongkong.cr.aliyuncs.com/kritis-demo/alpine] 5216338b40a7: Pushed 3.11: digest: sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 size: 528To accept requests to deploy signed images, run the following command:
kubectl -n default create deployment is-signed --image=kritis-demo-registry-vpc.cn-hongkong.cr.aliyuncs.com/kritis-demo/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10