The container signature feature supports signing container images and verifying container
image signatures. This feature ensures that only trusted container images are deployed
and prevents unauthorized images from being started. This reinforces your asset security.
Prerequisites
You must complete the following operations before you can use the container signature
feature:
- A customer master key (CMK) is created by using Key Management Service (KMS). The
CMK is based on an asymmetric encryption algorithm.
Notice Only asymmetric key algorithms support the container signature feature. When you create
a KMS CMK, set
Key Spec to
RSA_2048 and
Purpose to
Sign/Verify. For more information about the key algorithms supported by KMS CMKs, see
Description of encryption algorithms supported by KMS.
- A Kubernetes cluster is created, and the kritis-validation-hook component is installed
in the cluster.
For more information about how to create Kubernetes clusters, see Create an ACK dedicated cluster.
For more information about the kritis-validation-hook component, see Introduction to kritis-validation-hook.
- If this is the first time that you use the container signature feature, you must grant
Security Center the required permissions to access relevant Alibaba Cloud services.
Limits
Only Security Center Ultimate supports this feature. If you do not use the Ultimate
edition, you must upgrade Security Center to the Ultimate edition before you can use
this feature. For more information about how to purchase and upgrade Security Center,
see Purchase Security Center and Upgrade and downgrade Security Center. For more information about the features that each edition supports, see Features.
Procedure
- Log on to the Security Center console.
- In the left-side navigation pane, choose .
- Optional:On the Container Signature page, click the Witness tab to create a witness.
If you have created a witness, skip this step and go to Step 4.
Otherwise, click Create a witness on the Witness tab. In the panel that appears, configure the parameters and click OK.
The following table describes the parameters.
| Parameter |
Description |
| Witness |
Enter the name of the witness. When you configure a security policy, you must select
a witness to enable the container signature feature for the required container. We
recommend that you enter an informative name.
|
| Select a certificate |
Select the KMS CMK that you created from the certificate list.
Notice Only asymmetric key algorithms support the container signature feature. When you create
a KMS CMK, set Key Spec to RSA_2048 and Purpose to Sign/Verify. For more information about the key algorithms supported by KMS CMKs, see Description of encryption algorithms supported by KMS.
|
| Description |
Enter the description of the witness. |
- Create a security policy.
On the Security Policy tab, click Add Policy. In the panel that appears, configure the parameters and click OK.
The following table describes the parameters.
| Parameter |
Description |
| Policy Name |
Enter the name of the security policy. When you configure a security policy, you must
select a witness to enable the container feature for the required cluster.
We recommend that you enter an informative name.
|
| Witness |
Select the witness that you created from the witness list.
For more information about how to create a witness, see Step 3.
|
| Application Cluster |
Select the cluster group for which you want to enable the container signature feature.
Then, select the required Cluster Namespace.
|
| Policy Enabled |
Turn on the switch. The policy is automatically enabled after it is created.
Note The switch is turned off by default. In this case, the policy does not take effect
after it is created.
|
| Note |
Enter the description of the security policy. |
What to do next
After you create and enable a security policy for a container, the container signature
feature takes effect on the container that you select when you configure the security
policy. The container image based on which the container is created is labeled as
Trusted Image.
Note The feature that displays trusted signature labels is not available.