This topic describes how to use Container Registry (ACR), Key Management Service (KMS), Security Center, and the kritis-validation-hook component to automatically verify container image signatures. This practice ensures that you deploy only container images signed by trusted authorities and helps reduce the risk of accidental or malicious code in your environment.
Prerequisites
You have activated Security Center:
You have created a KMS key that uses an asymmetric key encryption algorithm. For more information, see Manage keys.
ImportantBecause container image signing requires an Asymmetric Key algorithm, you must set Key Specifications to RSA_2048 and Key Usage to SIGN/VERIFY when you create a KMS key. For more information about KMS key algorithms, see KMS Overview.
ACR instance has to be Premium Edition.
Step 1: Install the kritis-validation-hook component
Log on to the ACK console. In the left navigation pane, click Clusters.
On the Clusters page, find the cluster you want and click its name. In the left navigation pane, click Add-ons.
On the Add-ons page, on the Security tab, find the kritis-validation-hook component and click Install.
Grant the required permissions to the kritis-validation-hook component.
You must grant your cluster the permissions to run kritis-validation-hook. For more information, see Authorize a cluster to access resources.
Step 2: Create a KMS key for container image signing
Create a customer master key (CMK). For more information, see Manage keys.
When you create a key, set the Key Specifications to RSA_2048 and the Key Usage to SIGN/VERIFY.
Step 3: Configure a witness that uses the KMS key in Security Center
Log on to the Security Center console.
In the left navigation pane, select .
On the Witness tab, click Create Witness. Complete the configuration and click OK.
Configuration item
Note
Witness Name
When you configure a container image signing security policy, a witness is required to grant trusted authorization to your target containers. Enter a recognizable name for the witness.
Select Certificate
Select the KMS key that you created from the certificate list.
Description
Enter the description for the witness.
Step 4: Enable automatic container image signing in ACR
Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the name of the target Enterprise instance or Manage.
In the navigation pane on the left of the Enterprise Instance management page, select .
You need to create a namespace and enable image signing for images within that namespace. For more information, see Manage namespaces.
Enable automatic container image signing for the created namespace.
When you add a signing rule, select the witness that you created in Step 3 in Security Center.
In the left navigation pane, select .
Click Create a signature rule and complete the configuration.
For more information about how to configure image signing rules, see Configure automatic image signing rules.
Step 5: Enable container image signature verification in Security Center
Enable container image signature verification for a namespace in a Kubernetes cluster by adding and enabling a policy in Security Center.
Log on to the Security Center console.
In the left navigation pane, select .
On the Security Policy tab, click Create Policy. Configure the policy and click OK.
Configuration item
Note
Policy Name
When you configure a signing security policy, you must select a witness to grant trusted authorization to your target cluster.
Enter an informative name.
Witness
Select the witness that you created from the witness list.
Application Cluster
Click the cluster group for container image signing. Then, select the target Cluster Namespace.
Policy Status
Turn on the switch. The policy is automatically enabled after it is created.
NoteThe policy is disabled by default. A disabled policy does not take effect.
Remarks
Enter the description of the security policy.
Step 6: Verify the automatic container image signature verification feature
If image tag immutability is not enabled, you must configure the image reference to use the digest format. For more information, see Enable image tag immutability.
Run the following commands to verify the automatic container image signature verification feature.
Verify that the deployment of unsigned container images is denied in the default namespace where signature verification is enabled.
To specify an image by tag, run the following command:
kubectl -n default create deployment not-sign --image=alpine:3.11 -- sleep 10Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attestedTo specify an image by digest, run the following command:
kubectl -n default create deployment not-sign --image=alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 is not attestedPush an image to the Container Registry namespace for which automatic signing is enabled. Then, verify that you can use this signed container image to deploy a service.
docker push kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine:3.11The push refers to repository [kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine] 5216338b40a7: Pushed 3.11: digest: sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 size: 528The following command successfully deploys the automatically signed container image:
kubectl -n default create deployment is-signed --image=kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10deployment.apps/is-signed created
References
For more information about kritis-validation-hook, see Introduction to the kritis-validation-hook component.
For the release notes for the kritis-validation-hook component, see kritis-validation-hook.