Updated on 2024-11-12 GMT+08:00

Container Image Signature Verification

Introduction

swr-cosign is used to sign image files and verify their integrity and authenticity. This prevents image files from being tampered with or implanted with malicious code.

Notes and Constraints

  • An SWR Enterprise instance has been created before you use the image signature verification function.

Installing the Add-on

  1. Log in to the CCE console and click a cluster name to access the cluster. In the navigation pane, choose Add-ons, locate Container Image Signature Verification on the right, and click Install.
  2. On the Install Add-on page, configure the specifications as needed.

    • If you selected Preset, you can choose between Small or Large based on the cluster scale. The system will automatically set the number of add-on pods and resource quotas according to the preset specifications. You can see the configurations on the console.

      The small specification specifies that the add-on runs in one pod, which is ideal for clusters with fewer than 50 concurrent image downloads. The large specification specifies that the add-on runs in two pods, which s more appropriate for clusters with fewer than 300 concurrent image downloads.

    • If you selected Custom, you can adjust the number of pods and resource quotas as needed. High availability is not possible with a single pod. If an error occurs on the node where the add-on instance runs, the add-on will fail.

  3. Configure the add-on parameters.

    Table 1 swr-cosign parameters

    Parameter

    Description

    KMS key

    Select a key. Only EC_P256, EC_P384, and SM2 are supported.

    You can add a key using KMS.

    Signature Verification Image

    Enter a regular expression for the path to a signature verification image. For example, if you enter docker.io/**, the signature of the image in the docker.io image repository will be verified. To verify the signatures of all images, enter **.

  4. Click Install.

    After the add-on is installed, select the cluster and choose Add-ons in the navigation pane. On the displayed page, view the add-on in the Add-ons Installed area.

Components

Table 2 Add-on components

Component

Description

Resource Type

swr-cosign

swr-cosign verifies digital signatures of image files to ensure that the image files are not tampered with.

Deployment

How to Use

  1. Install swr-cosign and configure the KMS key and image address as instructed in Installing the Add-on.
  2. Add the policy.sigstore.dev/include:true label to the namespace that requires signature verification.

    1. In the navigation pane of the cluster console, click Namespaces.
    2. Locate the namespace to be verified. In the Operation column, choose More > Manage Label.
    3. Add a label.
      • Key: policy.sigstore.dev/include
      • Value: true
    4. Click OK.

  3. Check whether image signature verification is enabled.

    1. In the navigation pane of the cluster console, click Workloads.
    2. Click Create Workload in the upper right corner.
    3. Select the namespace where the label was added, enter the unsigned image path, and set other parameters as instructed in Creating a Deployment.
    4. Click Create Workload.
      Unsigned images will be blocked. The following information is displayed:
      admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: cip-key-secret-match: spec.template.spec.containers[0].image ...

  4. Sign an image.

    1. Log in to the SWR enterprise repository and access an existing repository.
    2. In the navigation pane, choose Security > Image Signature and create a signature rule.
      • Name: Name the signature rule.
      • Organization: Select a container image organization.
      • Application Scope:
        • Image: Select the image to be signed. You can also use a regular expression to match multiple images.
        • Version: Select an image version. If this parameter is left blank or set to **, all versions of the image are matched.
      • Signing Method: Select KMS.
      • Signature Key: Select a KMS key. The key must be the same as that used during add-on installation.
      • Trigger Mode:
        • Manual: After a signature rule is created, manually execute the rule to sign the image.
        • Event + manual: The image can be signed by events or manually.
      • Description: Enter the description of the rule.
    3. After the signature rule is created, click Execute to sign the selected image.
    4. After the image is signed, in the navigation pane, choose Artifact Repositories > Image Repositories and click the image name to view the image details. The image already has a signature attachment.

  5. Go back to the CCE console, and check whether the signed image can be used to create a workload successfully.

Change History

Table 3 Release history

Add-on Version

Supported Cluster Version

New Feature

1.0.2

v1.23

v1.25

v1.27

Clusters 1.27 are supported.

1.0.1

v1.23

v1.25

Supports verification of container image signatures.