kritis-validation-hook is a key component that is used to verify the signatures of
container images. This topic describes the features, usage notes, and release notes
for kritis-validation-hook.
Introduction
kritis-validation-hook is a key component that is used to verify the signatures of
container images. You can use the signature verification feature to ensure that only
images signed by trusted authorities are deployed. This reduces the risk of malicious
code execution. For more information about kritis-validation-hook, see Introduction to kritis-validation-hook.
Release notes
August 2022
| Version |
Image address |
Release date |
Description |
Impact |
| v0.8.0.4-g61d3531e-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.8.0.4-g61d3531e-aliyun |
2022-08-05 |
This version is in canary release.
- Signature verification in large-scale clusters is accelerated.
- ASK clusters that run Kubernetes 1.22 are supported.
- The RAM Roles for Service Accounts (RRSA) feature can be used to configure the Resource
Access Management (RAM) permissions that are required by kritis-validation-hook. By
default, this method is used in serverless Kubernetes (ASK) clusters.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
December 2021
| Version |
Image address |
Release date |
Description |
Impact |
| v0.6.0.5-gce1cc2d-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.6.0.5-gce1cc2d-aliyun |
2021-12-17 |
Kubernetes 1.22 is supported. v0.6.0.5-gce1cc2d-aliyun and later versions support
only Kubernetes 1.16 and later.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
November 2021
| Version |
Image address |
Release date |
Description |
Impact |
| v0.5.0.6-g525daee-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.5.0.6-g525daee-aliyun |
2021-11-15 |
- A new image signature format is supported by Container Registry.
- The ARM64 architecture is supported.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
June 2021
| Version |
Image address |
Release date |
Description |
Impact |
| v0.4.0.1-gb2862c4-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.4.0.1-gb2862c4-aliyun |
2021-06-10 |
New feature: kritis-validation-hook can be installed in registered clusters. |
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
March 2021
| Version |
Image address |
Release date |
Description |
Impact |
| v0.3.1.4-ga89b624-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.3.1.4-ga89b624-aliyun |
2021-03-24 |
New feature: The signatures of images stored in repositories whose names contain forward
slashes (/) can be verified.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
November 2020
| Version |
Image address |
Release date |
Description |
Impact |
| v0.2.7.2-g5fa671a-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.7.2-g5fa671a-aliyun |
2020-11-24 |
The signature verification whitelist feature is supported. kritis-validation-hook
does not verify the signatures of images that are included in a signature verification
whitelist.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
| v0.2.6.4-g94b0940-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.6.4-g94b0940-aliyun |
2020-11-16 |
New features: Signature verification is supported for Container Service for Kubernetes
(ACK) images whose versions are immutable. For more information, see Configure a repository to be immutable.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
August 2020
| Version |
Image address |
Release date |
Description |
Impact |
| v0.2.5.26-g75d5297-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.5.26-g75d5297-aliyun |
2020-08-12 |
- If a container image fails to pass signature verification, a cluster event is generated
in the kube-system namespace. The cause of the event is FailedKritisAdmission.
- The dry run mode is supported. By default, this mode is disabled.
If the dry run mode is enabled, container images that fail to pass signature verification
can be deployed. If an image that fails to pass signature verification is deployed,
a cluster event is generated in the kube-system namespace. The cause of the event
is DryRunKritisAdmission.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
June 2020
| Version |
Image address |
Release date |
Description |
Impact |
| v0.2.4.1-ge5c1265-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.4.1-ge5c1265-aliyun |
2020-06-22 |
The signatures of Container Registry images stored in regions other than the current
region can be verified.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
April 2020
| Version |
Image address |
Release date |
Description |
Impact |
| v0.2.3.1-00e70883-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.3.1-00e70883-aliyun |
2020-04-07 |
Performance is improved and log content is optimized. |
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|
March 2020
| Version |
Image address |
Release date |
Description |
Impact |
| v0.2.2.3-fe8a6319-aliyun |
registry.cn-hangzhou.aliyuncs.com/acs/kritis-server:v0.2.2.3-fe8a6319-aliyun |
2020-03-18 |
kritis-validation-hook is integrated with Container Registry. You can verify the signatures
of images that are signed by Key Management Service (KMS). This ensures that only
trusted images are deployed in ACK clusters.
|
If exceptions occur when the system updates kritis-validation-hook, cluster resources
may fail to be updated. We recommend that you update the component during off-peak
hours.
|