All Products
Search

This Product

    Container Service for Kubernetes:Use kritis-validation-hook to automatically verify container image signatures

    Document Center

    Container Service for Kubernetes:Use kritis-validation-hook to automatically verify container image signatures

    Last Updated:Sep 24, 2025

    This topic describes how to use Container Registry (ACR), Key Management Service (KMS), Security Center, and the kritis-validation-hook component to automatically verify container image signatures. This practice ensures that you deploy only container images signed by trusted authorities and helps reduce the risk of accidental or malicious code in your environment.

    Prerequisites

    • You have activated Security Center:

      • Subscription service: Ultimate (If you do not have this edition, please upgrade).

      • Pay-as-you-go service: The pay-as-you-go billing method for Host and Container Security is enabled. If the service is not enabled, you can go to the Purchase page to enable it.

    • You have created a KMS key that uses an asymmetric key encryption algorithm. For more information, see Manage keys.

      Important

      Because container image signing requires an asymmetric key algorithm, you must set Key Type to RSA_2048 and Key Purpose to SIGN/VERIFY when you create a KMS key. For more information about KMS key algorithms, see KMS Overview.

    Step 1: Install the kritis-validation-hook component

    1. Log on to the ACK console. In the left navigation pane, click Clusters.

    2. On the Clusters page, find the one you want to manage and click its name. In the navigation pane on the left, click Add-ons.

    3. On the Add-ons page, on the Security tab, find the kritis-validation-hook component and click Install.

    4. Grant the required permissions to the kritis-validation-hook component.

      You must grant your cluster the permissions to run kritis-validation-hook. For more information, see Configure resource access permissions.

    Step 2: Create a KMS key for container image signing

    Create a customer master key (CMK). For more information, see Manage keys.

    Important

    When you create a key, set the Key Spec to RSA_2048 and the Purpose to Sign/Verify.

    Step 3: Configure a witness that uses the KMS key in Security Center

    1. Log on to the Security Center console.

    2. In the left navigation pane, select Mitigation Settings > Container Protection > Container Image Signing.

    3. On the Witness tab, click Create Witness. Complete the configuration and click OK.

      Configuration item

      Note

      Witness Name

      When you configure a container image signing security policy, a witness is required to grant trusted authorization to your target containers. Enter a recognizable name for the witness.

      Select A Certificate

      Select the KMS key that you created from the certificate list.

      Description

      Enter the description for the witness.

    Step 4: Enable automatic container image signing in ACR

    1. Log on to the Container Registry console.

    2. In the top navigation bar, select a region.

    3. In the left-side navigation pane, click Instances.

    4. On the Instances page, click the name of the target Enterprise instance or Manage.

      Note

      To add an Enterprise instance, click Create Enterprise Instance and set Instance Type to Premium Edition.

    5. In the navigation pane on the left of the Enterprise Instance management page, select Repository Management > Namespace.

      You need to create a namespace and enable image signing for images within that namespace. For more information, see Manage namespaces.

    6. Enable automatic container image signing for the created namespace.

      When you add a signing rule, select the witness that you created in Step 3 in Security Center.

      1. In the left navigation pane, select Security and Trust > Image Signing.

      2. Click Add Signing Rule on the Image Signing tab.

        For more information about how to configure image signing rules, see Configure automatic image signing rules.

    Step 5: Enable container image signature verification in Security Center

    Enable container image signature verification for a namespace in a Kubernetes cluster by adding and enabling a policy in Security Center.

    1. Log on to the Security Center console.

    2. In the left navigation pane, select Protection Configuration > Container Protection > Container Signature.

    3. On the Security Policy tab, click Add Policy. Configure the policy and click OK.

      Configuration item

      Note

      Policy Name

      When you configure a signing security policy, you must select a witness to grant trusted authorization to your target cluster.

      Enter an informative name.

      Witness

      Select the witness that you created from the witness list.

      Application Cluster

      Click the cluster group for container image signing. Then, select the target Cluster Namespace.

      Policy Enabled

      Turn on the switch. The policy is automatically enabled after it is created.

      Note

      The policy is disabled by default. A disabled policy does not take effect.

      Note

      Enter the description of the security policy.

    Step 6: Verify the automatic container image signature verification feature

    Note

    If image tag immutability is not enabled, you must configure the image reference to use the digest format. For more information, see Enable image tag immutability.

    Run the following commands to verify the automatic container image signature verification feature.

    • Verify that the deployment of unsigned container images is denied in the default namespace where signature verification is enabled.

      To specify an image by tag, run the following command:

      kubectl -n default create deployment not-sign --image=alpine:3.11 -- sleep 10
      Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine:3.11 is not attested

      To specify an image by digest, run the following command:

      kubectl -n default create deployment not-sign --image=alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10
      Error from server: admission webhook "kritis-validation-hook-deployments.grafeas.io" denied the request: image alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 is not attested

    • Push an image to the Container Registry namespace for which automatic signing is enabled. Then, verify that you can use this signed container image to deploy a service.

      docker push kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine:3.11
      The push refers to repository [kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine]
5216338b40a7: Pushed
3.11: digest: sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 size: 528

      The following command successfully deploys the automatically signed container image:

      kubectl -n default create deployment is-signed --image=kritis-demo***.cn-hongkong.cr.aliyuncs.com/kritis-demo***/alpine@sha256:ddba4d27a7ffc3f86dd6c2f92041af252a1f23a8e742c90e6e1297bfa1bc0c45 -- sleep 10
      deployment.apps/is-signed created

    References