kritis-validation-hook verifies container image signatures before deployment, so only images signed by trusted authorities run in your ACK clusters. This reduces the risk of deploying unexpected or malicious code.
Overview
kritis-validation-hook integrates with Container Registry (ACR) and verifies images signed by Key Management Service (KMS). When a workload is created or updated, the component intercepts the request and checks whether the container image carries a valid signature. Requests that fail verification are blocked, and an event with the reason FailedKritisAdmission is generated in the kube-system namespace.
The component supports a dry-run mode, which is disabled by default. When dry-run is enabled, requests that fail verification are allowed through, and an event with the reason DryRunKritisAdmission is generated instead.
Supported Kubernetes resources: Deployment, DaemonSet, ReplicaSet, StatefulSet, Job, CronJob, ReplicationController, and ephemeral containers.
For setup instructions, see Use the kritis-validation-hook component to automatically verify container image signatures. For a detailed introduction to the component, see Introduction to the kritis-validation-hook component.
Release notes
An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.
September 2025
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>0.13.0</p></td> <td><p>registry-cn-hangzhou.ack.aliyuncs.com/acs/kritis-server:0.13.0</p></td> <td><p>2025-09-11</p></td> <td> <ul> <li><p>The naming convention for component versions is changed.</p></li> <li><p>Golang is upgraded to 1.24.6 to improve component stability.</p></li> </ul></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
May 2025
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.12.0.0-g1535b25b-aliyun</p></td> <td><p>registry-cn-hangzhou.ack.aliyuncs.com/acs/kritis-server:v0.12.0.0-g1535b25b-aliyun</p></td> <td><p>2025-05-07</p></td> <td> <ul> <li><p>The component now obtains <b>Instance Metadata</b> in <b>Security Hardening Mode</b>. For more information, see <a href="https://www.alibabacloud.com/help/en/document_detail/108460.html">Instance metadata</a>.</p></li> <li><p>Golang is upgraded to 1.24.3 to improve component stability.</p></li> </ul></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
August 2024
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.11.0.0-gf0617391-aliyun</p></td> <td><p>registry-cn-hangzhou.ack.aliyuncs.com/acs/kritis-server:v0.11.0.0-gf0617391-aliyun</p></td> <td><p>2024-08-29</p></td> <td> <ul> <li><p>Adds support for configuring RAM Roles for Service Accounts (RRSA) authentication during component installation and upgrade.</p></li> <li><p>Verifies image signatures when you create and update StatefulSet, Job, CronJob, and ReplicationController resources.</p></li> </ul></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
July 2024
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.10.0.0-gde6f9437-aliyun</p></td> <td><p>registry-cn-hangzhou.ack.aliyuncs.com/acs/kritis-server:v0.10.0.0-gde6f9437-aliyun</p></td> <td><p>2024-07-04</p></td> <td> <ul> <li><p>Verifies image signatures for ephemeral containers.</p></li> <li><p>Verifies image signatures when you create and update Deployment, DaemonSet, and ReplicaSet resources.</p></li> </ul></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
April 2023
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.9.0.0-gb7aa45c7-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.9.0.0-gb7aa45c7-aliyun</p></td> <td><p>2023-04-17</p></td> <td><p>Supports Kubernetes 1.26.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
August 2022
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.8.0.4-g61d3531e-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.8.0.4-g61d3531e-aliyun</p></td> <td><p>2022-08-05</p></td> <td> <ul> <li><p>Improves image signature verification speed in large-scale clusters.</p></li> <li><p>Supports ACK Serverless clusters running Kubernetes 1.22.</p></li> <li><p>Adds support for using RRSA to grant RAM permissions to the component. This is now the default authentication method for ACK Serverless clusters.</p></li> </ul></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
December 2021
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.6.0.5-gce1cc2d-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.6.0.5-gce1cc2d-aliyun</p></td> <td><p>2021-12-17</p></td> <td><p>Supports Kubernetes 1.22. Starting from this version, only clusters running Kubernetes 1.16 or later are supported.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
November 2021
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.5.0.6-g525daee-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.5.0.6-g525daee-aliyun</p></td> <td><p>2021-11-15</p></td> <td> <ul> <li><p>Supports the new ACR image signature data format.</p></li> <li><p>Supports the ARM64 architecture.</p></li> </ul></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
June 2021
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.4.0.1-gb2862c4-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.4.0.1-gb2862c4-aliyun</p></td> <td><p>2021-06-10</p></td> <td><p>Supports installing kritis-validation-hook in registered clusters.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
March 2021
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.3.1.4-ga89b624-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.3.1.4-ga89b624-aliyun</p></td> <td><p>2021-03-24</p></td> <td><p>Supports signature verification for images in repositories whose names contain forward slashes (/).</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
November 2020
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.2.7.2-g5fa671a-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.7.2-g5fa671a-aliyun</p></td> <td><p>2020-11-24</p></td> <td><p>Adds an image signature verification whitelist. Images on the whitelist skip signature verification.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> <tr> <td><p>v0.2.6.4-g94b0940-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.6.4-g94b0940-aliyun</p></td> <td><p>2020-11-16</p></td> <td><p>Supports signature verification for images with the ACK image version immutability feature enabled. For more information, see <a href="https://www.alibabacloud.com/help/en/document_detail/186029.html#task-1961931">Enable image version immutability</a>.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
August 2020
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.2.5.26-g75d5297-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.5.26-g75d5297-aliyun</p></td> <td><p>2020-08-12</p></td> <td> <ul> <li><p>By default, if signature verification fails, an event with the reason <b>FailedKritisAdmission</b> is generated in the kube-system namespace.</p></li> <li><p>Adds a dry-run mode (disabled by default). When enabled, requests that fail signature verification are allowed through, and an event with the reason <b>DryRunKritisAdmission</b> is generated in the kube-system namespace.</p></li> </ul></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
June 2020
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.2.4.1-ge5c1265-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.4.1-ge5c1265-aliyun</p></td> <td><p>2020-06-22</p></td> <td><p>Supports cross-region verification of signed ACR images.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
April 2020
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.2.3.1-00e70883-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.3.1-00e70883-aliyun</p></td> <td><p>2020-04-07</p></td> <td><p>Improves performance and log content.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>
March 2020
<table> <thead> <tr> <td><p><b>Version</b></p></td> <td><p><b>Image address</b></p></td> <td><p><b>Release date</b></p></td> <td><p><b>Changes</b></p></td> <td><p><b>Impact</b></p></td> </tr> </thead> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <colgroup></colgroup> <tbody> <tr> <td><p>v0.2.2.3-fe8a6319-aliyun</p></td> <td><p>registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.2.3-fe8a6319-aliyun</p></td> <td><p>2020-03-18</p></td> <td><p>Initial integration with Container Registry. Verifies signatures of images signed by KMS, so only trusted container images are deployed in ACK clusters.</p></td> <td><p>An abnormal component upgrade may cause cluster resource changes to fail. Upgrade the component during off-peak hours.</p></td> </tr> </tbody> </table>