Container Image Signature Verification
Introduction
swr-cosign is used to sign image files and verify their integrity and authenticity. This prevents image files from being tampered with or implanted with malicious code.
Constraints
- The CCE cluster version can only be V1.23 or later.
- An SWR Enterprise instance has been created before you use the image signature verification function.
Installing the Add-on
- Log in to the CCE console and click a cluster name to access the cluster. Choose Add-ons in the navigation pane, locate Container Image Signature Verification on the right, and click Install.
- On the Install Add-on page, configure the specifications.
Table 1 swr-cosign configuration Parameter
Description
Add-on Specifications
Select Standalone, HA, or Custom for Add-on Specifications.
Pods
Number of pods that will be created to match the selected add-on specifications.
If you select Custom, you can adjust the number of pods as required.
Containers
If you select Custom, you can adjust the container specifications as required.
- Configure the add-on parameters.
Table 2 swr-cosign parameters Parameter
Description
KMS key
Select a key. Only EC_P256, EC_P384, and SM2 are supported.
You can add a key using KMS.
Signature Verification Image
Enter a regular expression for the path to a signature verification image. For example, if you enter docker.io/**, the signature of the image in the docker.io image repository will be verified. To verify the signatures of all images, enter **.
- Click Install.
After the add-on is installed, select the cluster and click Add-ons in the navigation pane. On the displayed page, view the add-on in the Add-ons Installed area.
Components
Component |
Description |
Resource Type |
|---|---|---|
swr-cosign |
swr-cosign verifies digital signatures of image files to ensure that the image files are not tampered with. |
Deployment |
How to Use
- Install swr-cosign and configure the KMS key and image address as instructed in Installing the Add-on.
- Add the policy.sigstore.dev/include:true label to the namespace that requires signature verification.
- In the navigation pane of the cluster console, click Namespaces.
- Locate the namespace to be verified. In the Operation column, choose More > Manage Label.
- Add a label.
- Key: policy.sigstore.dev/include
- Value: true
- Click OK.
- Check whether image signature verification is enabled.
- In the navigation pane of the cluster console, click Workloads.
- Click Create Workload in the upper right corner.
- Select the namespace where the label was added, enter the unsigned image path, and set other parameters as instructed in Creating a Deployment.
- Click Create Workload.
Unsigned images will be blocked. The following information is displayed:
admission webhook "policy.sigstore.dev" denied the request: validation failed: failed policy: cip-key-secret-match: spec.template.spec.containers[0].image ...
- Sign an image.
- Log in to the SWR enterprise repository and access an existing repository.
- In the navigation pane, choose Security > Image Signature and create a signature rule.
- Name: Name the signature rule.
- Organization: Select a container image organization.
- Application Scope:
- Image: Select the image to be signed. You can also use a regular expression to match multiple images.
- Version: Select an image version. If this parameter is left blank or set to **, all versions of the image are matched.
- Signing Method: Select KMS.
- Signature Key: Select a KMS key. The key must be the same as that used during add-on installation.
- Trigger Mode:
- Manual: After a signature rule is created, manually execute the rule to sign the image.
- Event + manual: The image can be signed by events or manually.
- Description: Enter the description of the rule.
- After the signature rule is created, click Execute to sign the selected image.
- After the image is signed, in the navigation pane, choose Artifact Repositories > Image Repositories and click the image name to view the image details. The image already has a signature attachment.
- Sign an image.
- Use the Linux pgp signature tool to generate a key pair.
gpg --quick-generate-key {uid}
Keep the key pair and your password secure.
- Print the information about the image to be signed.
echo "{\"critical\":{\"identity\":{\"docker-reference\":\"{namespace}/{repo}\"},\"image\":{\"docker-manifest-digest\":\"{sha256}\"},\"type\":\"atomic container signature\"}}" > payload.txt
- {namespace}/{repo}: organization of the image to be signed/name of the image to be signed
- {sha256}": SHA256 value of the image, for example, sha256:aba27e8e***********1d566e218cb3ecaa424
- Sign the image and encrypt it using Base64.
- Sign the image.
gpg --output signature.txt --armor -u {uid} --sign payload.txt - Encrypt it using Base64.
cat signature.txt | base64 -w0
- Sign the image.
- Generate a signature file.
echo "{\"PublicKeyID\": \"{KeyID}\", \"Signature\": \"{Sign}\", \"SerializedPayload\": null}" > {sha256}.asc
- {KeyID}: Enter the key pair fingerprint, which can be obtained by running gpg --list-keys.
- {Sign}: Enter the signature generated in 5.c.
- {sha256}: Enter the SHA256 value of the image.
- Upload the signature file generated in 5.d to a public OBS bucket. The path in the bucket is {namespace}/{repo}/{sha256}.asc.
curl -X PUT https:// Bucket name.OBS Domain name /{namespace}/{repo}/{sha256}.asc -T {sha256}.asc
- Use the Linux pgp signature tool to generate a key pair.
- Go back to the CCE console, and check whether the signed image can be used to create a workload successfully.
Change History
Add-on Version |
Supported Cluster Version |
New Feature |
|---|---|---|
1.0.2 |
v1.23 v1.25 v1.27 |
Supported clusters 1.27. |
1.0.1 |
v1.23 v1.25 |
Supports verification of container image signatures. |
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
