Chapter 9. Verifying image signatures


You can use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to ensure the integrity of the container images in your clusters by verifying image signatures against pre-configured keys.

You can create policies to block unsigned images and images that do not have a verified signature. You can also enforce the policy by using the RHACS admission controller to stop unauthorized deployment creation.

Note
  • RHACS 3.70 only supports Cosign signatures and Cosign public key signature verification. For more information about Cosign, see Cosign overview.
  • You must configure signature integration with at least 1 Cosign public key for signature verification.
  • For all deployed and watched images:

    • RHACS fetches and verifies the signatures every 4 hours.
    • RHACS verifies the signatures whenever you change or update your signature integration public keys.

9.1. Configuring signature integration

Before performing image signature verification, you must first add your Cosign public keys in RHACS.

Prerequisites

  • You must already have a PEM-encoded Cosign public key. For more information about Cosign, see Cosign overview.

Procedure

  1. On the RHACS portal, select Platform Configuration Integrations.
  2. Scroll down to the Signature Integrations section and click Signature.
  3. Click New integration.
  4. Enter a name for the Integration name.
  5. Click Cosign Add a new public key.
  6. Enter the Public key name.
  7. For the Public key value field, enter the PEM-encoded public key.
  8. (Optional) You can add more than one key by clicking Add a new public key and entering the details.
  9. Click Save.

9.2. Using signature verification in a policy

When creating custom security policies, you can use the Trusted image signers policy criteria to verify image signatures.

Prerequisites

  • You must have already configured a signature integration with at least 1 Cosign public key.

Procedure

  1. When creating or editing a policy, drag the Not verified by trusted image signers policy criteria in the policy field drop area for the Policy criteria section.
  2. Click Select.
  3. Select the trusted image signers from the list and click Save.

9.3. Enforcing signature verification

To prevent the users from using unsigned images, you can enforce signature verification by using the RHACS admission controller. You must first enable the Contact Image Scanners feature in your cluster configuration settings. Then, while creating a security policy to enforce signature verification, you can use the Inform and enforce option.

For more information, see Enabling admission controller enforcement.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.