You can use Red Hat Advanced Cluster Security for Kubernetes (RHACS) to ensure the integrity of the container images in your clusters by verifying image signatures against pre-configured keys.
You can create policies to block unsigned images and images that do not have a verified signature. You can also enforce the policy by using the RHACS admission controller to stop unauthorized deployment creation.
|
Before performing image signature verification, you must first create a signature integration in RHACS.
A signature integration can be configured with multiple verification methods. The following verification methods are supported:
Cosign public keys
Cosign certificates
You must already have a PEM-encoded Cosign public key. For more information about Cosign, see Cosign overview.
In the RHACS portal, select Platform Configuration → Integrations.
Scroll to Signature Integrations and click Signature.
Click New integration.
Enter a name for the Integration name.
Click Cosign public Keys → Add a new public key.
Enter the Public key name.
For the Public key value field, enter the PEM-encoded public key.
(Optional) You can add more than one key by clicking Add a new public key and entering the details.
Click Save.
You must already have the certificate identity and issuer. Optionally, you also need a PEM-encoded certificate and chain. For more information about Cosign certificates, see Cosign certificate verification
In the RHACS portal, select Platform Configuration → Integrations.
Scroll to Signature Integrations and click Signature.
Click New integration.
Enter a name for the Integration name.
Click Cosign certificates → Add a new certificate verification.
Enter the certificate OIDC Issuer. You can optionally use regular expressions in RE2 Syntax.
Enter the certificate identity. You can optionally use regular expressions in RE2 Syntax.
(Optional) Enter the certificate Chain PEM encoded to verify certificates. If no chain is provided, certificates are verified against the Fulcio root.
(Optional) Enter the certificate PEM encoded to verify the signature.
(Optional) You can add more than one certificate verification by clicking Add a new certificate verification and entering the details.
Click Save.
When creating custom security policies, you can use the Trusted image signers policy criteria to verify image signatures.
You must have already configured a signature integration with at least 1 Cosign public key.
When creating or editing a policy, drag the Not verified by trusted image signers policy criteria in the policy field drop area for the Policy criteria section.
Click Select.
Select the trusted image signers from the list and click Save.
To prevent the users from using unsigned images, you can enforce signature verification by using the RHACS admission controller. You must first enable the Contact Image Scanners feature in your cluster configuration settings. Then, while creating a security policy to enforce signature verification, you can use the Inform and enforce option.
For more information, see Enabling admission controller enforcement.