Questo contenuto non è disponibile nella lingua selezionata.

Chapter 13. Verifying image signatures


You can use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to ensure the integrity of the container images in your clusters by verifying image signatures against pre-configured keys.

You can create policies to block unsigned images and images that do not have a verified signature. You can also enforce the policy by using the RHACS admission controller to stop unauthorized deployment creation.

Note
  • RHACS only supports Cosign signatures and Cosign Public Keys/Certificates verification. For more information about Cosign, see Cosign overview.
  • For Cosign signature verification, RHACS does not support communication with the transparency log Rekor.
  • You must configure signature integration with at least 1 Cosign verification method for signature verification.
  • For all deployed and watched images:

    • RHACS fetches and verifies the signatures every 4 hours.
    • RHACS verifies the signatures whenever you change or update your signature integration verification data.

13.1. Configuring signature integration

Before performing image signature verification, you must first create a signature integration in RHACS.

A signature integration can be configured with multiple verification methods. The following verification methods are supported:

  • Cosign public keys
  • Cosign certificates

13.1.1. Configuring Cosign public keys

Prerequisites

  • You must already have a PEM-encoded Cosign public key. For more information about Cosign, see Cosign overview.

Procedure

  1. In the RHACS portal, select Platform Configuration Integrations.
  2. Scroll to Signature Integrations and click Signature.
  3. Click New integration.
  4. Enter a name for the Integration name.
  5. Click Cosign public Keys Add a new public key.
  6. Enter the Public key name.
  7. For the Public key value field, enter the PEM-encoded public key.
  8. (Optional) You can add more than one key by clicking Add a new public key and entering the details.
  9. Click Save.

13.1.2. Configuring Cosign certificates

Prerequisites

  • You must already have the certificate identity and issuer. Optionally, you also need a PEM-encoded certificate and chain. For more information about Cosign certificates, see Cosign certificate verification

Procedure

  1. In the RHACS portal, select Platform Configuration Integrations.
  2. Scroll to Signature Integrations and click Signature.
  3. Click New integration.
  4. Enter a name for the Integration name.
  5. Click Cosign certificates Add a new certificate verification.
  6. Enter the Certificate OIDC Issuer. You can optionally use regular expressions in RE2 Syntax.
  7. Enter the Certificate identity. You can optionally use regular expressions in RE2 Syntax.
  8. (Optional) Enter the Certificate Chain PEM encoded to verify certificates. If no chain is provided, certificates are verified against the Fulcio root.
  9. (Optional) Enter the Certificate PEM encoded to verify the signature.
  10. (Optional) You can add more than one certificate verification by clicking Add a new certificate verification and entering the details.
  11. Click Save.

13.2. Using signature verification in a policy

When creating custom security policies, you can use the Trusted image signers policy criteria to verify image signatures.

Prerequisites

  • You must have already configured a signature integration with at least 1 Cosign public key.

Procedure

  1. When creating or editing a policy, drag the Not verified by trusted image signers policy criteria in the policy field drop area for the Policy criteria section.
  2. Click Select.
  3. Select the trusted image signers from the list and click Save.

13.3. Enforcing signature verification

To prevent the users from using unsigned images, you can enforce signature verification by using the RHACS admission controller. You must first enable the Contact Image Scanners feature in your cluster configuration settings. Then, while creating a security policy to enforce signature verification, you can use the Inform and enforce option.

For more information, see Enabling admission controller enforcement.

Red Hat logoGithubRedditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita ilBlog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

© 2024 Red Hat, Inc.