In a recent blog post from the Kubernetes blog , the author wrote about an exciting update that will change how we handle container security. Today, many platform engineers deploy an admission controller to verify the signature of a container. Now, with the release of CRI-O version 1.28 it is possible to do the signature verification directly in the container runtime. No more relying solely on admission controllers to prevent unsigned images from being deployed in your Kubernetes cluster.
This feature leverages the Kubelet’s interaction with the container runtime, enabling the container runtime to handle the heavy lifting of container signature verification. CRI-O offers full support for container image signature verification starting from version v1.28.
As always you can follow along and check out the source code or clone it here .
Add signature policy
Let’s see how easy it is to get started with image signature verification in CRI-O. By using the flag --signature-policy,
you can specify a policy file in JSON format.
|
|
This command enables a global policy for container signature verification. However, if you need more specific policies per namespace, CRI-O has you covered too. By utilizing the flag --signature-policy-dir
, you can create a policy directory and add individual policy files, mapping them to the respective namespaces.
|
|
With this powerful feature, you can now ensure that containers within your Kubernetes cluster are signed and verified, enhancing the overall security of your applications without the need of installing a third party tool.
If you are curious how to sign a container, go and read my previous blog post Sign and Verify Containers With Ease .
That’s it! Thank you for reading!