Use the container image signing feature - Security Center

The container image signing feature lets you sign container images and verify their signatures before deployment. Only images with valid signatures are allowed to start in your Kubernetes clusters, preventing unauthorized images from running.

Limitations

Only the Ultimate edition of Security Center supports this feature. To purchase or upgrade, see Purchase Security Center and Upgrade and downgrade Security Center.

How it works

The feature uses two components:

Witness: A named entity that binds a Key Management Service (KMS) customer master key (CMK) to a signing identity. A witness acts as the trusted anchor that confirms which cryptographic key is authorized to sign images for your organization. When you configure a security policy, you select a witness to specify which CMK verifies image signatures.
Security policy: A rule that associates a witness with an ACK cluster and namespace. When the policy is enabled, only container images with valid signatures — verified by the bound CMK — can be deployed in the specified cluster namespace.

The kritis-validation-hook admission controller in your Kubernetes cluster enforces the policy at deploy time.

Prerequisites

Before you begin, ensure that you have:

A KMS CMK created with an asymmetric key algorithm. Set Key Spec to RSA_2048 and Purpose to Sign/Verify. Only asymmetric key algorithms are supported. For instructions, see Create a CMK. For supported key algorithms, see Encryption algorithms supported by KMS.
A Kubernetes cluster with the kritis-validation-hook component installed. For cluster creation instructions, see Create an ACK dedicated cluster. For component details, see Introduction to kritis-validation-hook.
Security Center permissions to access the required Alibaba Cloud services (required for first-time use).

Set up container image signing

Step 1: Create a witness

Log on to the Security Center console. In the top navigation bar, select the region of the asset — China or Outside China.
In the left-side navigation pane, choose Protection Configuration > Container Protection > Container Image Signing.
On the Witness tab, click Create a witness. If you already have a witness, skip this step and go to Step 2.

In the panel that appears, configure the following parameters and click OK.

Parameter	Description
Witness	A name for the witness. Use a descriptive name — you select this witness when creating a security policy.
Select a certificate	The KMS CMK to associate with this witness. Select the CMK you created from the list.
Description	(Optional) A description of the witness.

Step 2: Create and enable a security policy

On the Security Policy tab, click Add Policy.

In the panel that appears, configure the following parameters and click OK.

Important

Test the policy in a non-production namespace before applying it to production. When the policy is enabled, any container without a valid image signature is blocked from starting.

Parameter	Description
Policy Name	A name for the security policy. Use a descriptive name.
Witness	The witness to use for signature verification. Select the witness you created in Step 1.
Application Cluster	The ACK cluster to protect. After selecting a cluster, select the target Cluster Namespace.
Policy Enabled	Turn on the switch to activate the policy immediately after creation. The switch is off by default — the policy has no effect until enabled.
Note	(Optional) A description of the security policy.

Result

After you create and enable a security policy, the feature takes effect on the selected cluster namespace. The container image used to create the container is labeled Trusted Image in Security Center.