Chapter 13. Verifying image signatures
You can use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to ensure the integrity of the container images in your clusters by verifying image signatures against pre-configured keys.
You can create policies to block unsigned images and images that do not have a verified signature. You can also enforce the policy by using the RHACS admission controller to stop unauthorized deployment creation.
- RHACS only supports Cosign signatures and Cosign Public Keys/Certificates verification. For more information about Cosign, see Cosign overview.
- For Cosign signature verification, RHACS does not support communication with the transparency log Rekor.
- You must configure signature integration with at least 1 Cosign verification method for signature verification.
For all deployed and watched images:
- RHACS fetches and verifies the signatures every 4 hours.
- RHACS verifies the signatures whenever you change or update your signature integration verification data.
13.1. Configuring signature integration
Before performing image signature verification, you must first create a signature integration in RHACS.
A signature integration can be configured with multiple verification methods. The following verification methods are supported:
- Cosign public keys
- Cosign certificates
13.1.1. Configuring Cosign public keys
Prerequisites
- You must already have a PEM-encoded Cosign public key. For more information about Cosign, see Cosign overview.
Procedure
-
In the RHACS portal, select Platform Configuration
Integrations. - Scroll to Signature Integrations and click Signature.
- Click New integration.
- Enter a name for the Integration name.
-
Click Cosign public Keys
Add a new public key. - Enter the Public key name.
- For the Public key value field, enter the PEM-encoded public key.
- (Optional) You can add more than one key by clicking Add a new public key and entering the details.
- Click Save.
13.1.2. Configuring Cosign certificates
Prerequisites
- You must already have the certificate identity and issuer. Optionally, you also need a PEM-encoded certificate and chain. For more information about Cosign certificates, see Cosign certificate verification
Procedure
-
In the RHACS portal, select Platform Configuration
Integrations. - Scroll to Signature Integrations and click Signature.
- Click New integration.
- Enter a name for the Integration name.
-
Click Cosign certificates
Add a new certificate verification. - Enter the Certificate OIDC Issuer. You can optionally use regular expressions in RE2 Syntax.
- Enter the Certificate identity. You can optionally use regular expressions in RE2 Syntax.
- (Optional) Enter the Certificate Chain PEM encoded to verify certificates. If no chain is provided, certificates are verified against the Fulcio root.
- (Optional) Enter the Certificate PEM encoded to verify the signature.
- (Optional) You can add more than one certificate verification by clicking Add a new certificate verification and entering the details.
- Click Save.
13.2. Using signature verification in a policy
When creating custom security policies, you can use the Trusted image signers policy criteria to verify image signatures.
Prerequisites
- You must have already configured a signature integration with at least 1 Cosign public key.
Procedure
- When creating or editing a policy, drag the Not verified by trusted image signers policy criteria in the policy field drop area for the Policy criteria section.
- Click Select.
- Select the trusted image signers from the list and click Save.
Additional resources
13.3. Enforcing signature verification
To prevent the users from using unsigned images, you can enforce signature verification by using the RHACS admission controller. You must first enable the Contact Image Scanners feature in your cluster configuration settings. Then, while creating a security policy to enforce signature verification, you can use the Inform and enforce option.
For more information, see Enabling admission controller enforcement.
Additional resources