Sign container images - Container Registry - Alibaba Cloud Documentation Center

Container Registry supports image signing. This feature prevents man-in-the-middle (MITM) attacks, and prevents unauthorized image updates or deployment. This way, image consistency can be ensured from distribution to deployment. Container Registry supports automatic image signing by namespace. Every time an image is pushed to Container Registry, Container Registry automatically signs the image based on the matched signature rule. This ensures that your container images are trustworthy.

Prerequisites

A Container Registry Enterprise Edition instance of Advanced Edition is created. For more information, see Create a Container Registry Enterprise Edition instance.
Key Management Service (KMS) is activated. For more information, see Activate KMS.

Create asymmetric keys

Log on to the KMS activation page.
In the upper-left corner of the KMS console, select the region in which you want to create an asymmetric key.
In the left-side navigation pane, click Keys. On the page that appears, click Create Key.
In the Create Key panel, configure the parameters and click OK.
The image signing feature is implemented based on asymmetric key algorithms. When you create the KMS key, select an EC or RSA key type and set the Purpose parameter to SIGN/VERIFY. For more information about other parameters, see Create a CMK.

Authorize Container Registry to use KMS keys

To allow Container Registry to read asymmetric keys within your account, configure a policy in Resource Access Management (RAM).

Log on to the RAM console.
In the left-side navigation pane, click RAM Roles.
On the RAM Roles page, create a RAM role named AliyunContainerRegistryKMSRole.
1. On the RAM Roles page, click Create RAM Role.
2. In the Select Role Type step, select a trusted entity type and click Next.
3. In the Configure Role step, set the RAM Role Name parameter to AliyunContainerRegistryKMSRole and select an Alibaba Cloud account. Then, click OK.
Modify the trust policy.
1. On the RAM Roles page, find the AliyunContainerRegistryKMSRole role and click its name in the RAM Role Name column.
2. Click the Trust Policy Management tab. On this tab, click Edit Trust Policy.
3. In the Edit Trust Policy panel, modify the trust policy and click OK.
```
{
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
                "Service": [
                    "cr.aliyuncs.com"
                ]
            }
        }
    ],
    "Version": "1"
}
```
Create a policy named AliyunContainerRegistryKMSRolePolicy.
1. In the left-side navigation pane, choose Permissions > Policies.
2. On the Policies page, click Create Policy.
3. On the Create Custom Policy page, set the Policy Name parameter to AliyunContainerRegistryKMSRolePolicy and the Configuration Mode parameter to Script. Then, configure the policy content in the code editor and click OK.
  Note You need to replace region and accountid with the actual information.
```
{
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "kms:*"
            ],
            "Resource": "acs:kms:${region}:${accountid}:*"
        }
    ],
    "Version": "1"
}
```
In the left-side navigation pane, click RAM Roles. In the role list, find the AliyunContainerRegistryKMSRole role.
Click Add Permissions in the Actions column.
Click Custom Policy below Select Policy, find and click the AliyunContainerRegistryKMSRolePolicy policy, and then click OK.

Configure an authenticator and a verification policy

Log on to the Security Center console.
In the left-side navigation page, choose Security Prevention > Container Signature. On the Container Signature page, create an authenticator and associate it with the KMS key for image signing.
Optional:Optional. Create a verification policy to associate the authenticator with your Container Service for Kubernetes (ACK) cluster. For more information, see Use the container signature feature.

Configure a signature rule for automatic image signing

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the required Container Registry Enterprise Edition instance.
On the management page of the Container Registry Enterprise Edition instance, choose Content Trust > Image Signature in the left-side navigation pane.
On the Image Signature page, click Create a signature rule.
In the Key Configuration step, select the authenticator that you create and associate with the KMS key in the Security Center console. Click Next.
In the Sign Configuration step, configure the parameters and click Create.
Note A signature rule applies only to new images that are pushed to the specified namespace. Existing images are not signed based on the signature rule.
- Algorithms: the algorithm that is used to sign images. Valid values: RSA_PSS_SHA_256 and RSA_PKCS1_SHA_256.
- Scope: the scope of the images that need to be automatically signed. You can select a namespace.
- Trigger Type: the mode in which image signing is triggered. The default value is Automatic Trigger, indicating that image signing is automatically triggered for each image that is pushed to Container Registry.

Verify image signatures

Use kritis-validation-hook to verify signatures of container images. For more information, see kritis-validation-hook introduction.

Note

You can use kritis-validation-hook to automatically verify image signatures in ACK clusters. You can set a policy to block image deployment if image signatures fail the verification. We recommend that you use this method.
You can also verify image signatures in Container Registry by using the signature verification feature of KMS.