kritis-validation-hook is a key component that is used to verify the signatures of container images. This topic describes the features, usage notes, and release notes for kritis-validation-hook.

Introduction

kritis-validation-hook is a key component that is used to verify the signatures of container images. You can use the signature verification feature to ensure that only images signed by trusted authorities are deployed. This reduces the risk of malicious code execution. For more information about kritis-validation-hook, see Introduction to kritis-validation-hook.

Usage notes

For more information about how to use kritis-validation-hook, see Use kritis-validation-hook to automatically verify the signatures of container images.

Release notes

August 2022

Version Image address Release date Description Impact
v0.8.0.4-g61d3531e-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.8.0.4-g61d3531e-aliyun 2022-08-05

This version is in canary release.

  • Signature verification in large-scale clusters is accelerated.
  • ASK clusters that run Kubernetes 1.22 are supported.
  • The RAM Roles for Service Accounts (RRSA) feature can be used to configure the Resource Access Management (RAM) permissions that are required by kritis-validation-hook. By default, this method is used in serverless Kubernetes (ASK) clusters.
If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

December 2021

Version Image address Release date Description Impact
v0.6.0.5-gce1cc2d-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.6.0.5-gce1cc2d-aliyun 2021-12-17

Kubernetes 1.22 is supported. v0.6.0.5-gce1cc2d-aliyun and later versions support only Kubernetes 1.16 and later.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

November 2021

Version Image address Release date Description Impact
v0.5.0.6-g525daee-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.5.0.6-g525daee-aliyun 2021-11-15
  • A new image signature format is supported by Container Registry.
  • The ARM64 architecture is supported.
If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

June 2021

Version Image address Release date Description Impact
v0.4.0.1-gb2862c4-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.4.0.1-gb2862c4-aliyun 2021-06-10 New feature: kritis-validation-hook can be installed in registered clusters. If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

March 2021

Version Image address Release date Description Impact
v0.3.1.4-ga89b624-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.3.1.4-ga89b624-aliyun 2021-03-24 New feature: The signatures of images stored in repositories whose names contain forward slashes (/) can be verified. If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

November 2020

Version Image address Release date Description Impact
v0.2.7.2-g5fa671a-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.7.2-g5fa671a-aliyun 2020-11-24 The signature verification whitelist feature is supported. kritis-validation-hook does not verify the signatures of images that are included in a signature verification whitelist. If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.
v0.2.6.4-g94b0940-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.6.4-g94b0940-aliyun 2020-11-16 New features: Signature verification is supported for Container Service for Kubernetes (ACK) images whose versions are immutable. For more information, see Configure a repository to be immutable. If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

August 2020

Version Image address Release date Description Impact
v0.2.5.26-g75d5297-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.5.26-g75d5297-aliyun 2020-08-12
  • If a container image fails to pass signature verification, a cluster event is generated in the kube-system namespace. The cause of the event is FailedKritisAdmission.
  • The dry run mode is supported. By default, this mode is disabled.

    If the dry run mode is enabled, container images that fail to pass signature verification can be deployed. If an image that fails to pass signature verification is deployed, a cluster event is generated in the kube-system namespace. The cause of the event is DryRunKritisAdmission.

If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

June 2020

Version Image address Release date Description Impact
v0.2.4.1-ge5c1265-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.4.1-ge5c1265-aliyun 2020-06-22 The signatures of Container Registry images stored in regions other than the current region can be verified. If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

April 2020

Version Image address Release date Description Impact
v0.2.3.1-00e70883-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.3.1-00e70883-aliyun 2020-04-07 Performance is improved and log content is optimized. If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.

March 2020

Version Image address Release date Description Impact
v0.2.2.3-fe8a6319-aliyun registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.2.3-fe8a6319-aliyun 2020-03-18 kritis-validation-hook is integrated with Container Registry. You can verify the signatures of images that are signed by Key Management Service (KMS). This ensures that only trusted images are deployed in ACK clusters. If exceptions occur when the system updates kritis-validation-hook, cluster resources may fail to be updated. We recommend that you update the component during off-peak hours.