Add documentation about verifying signed container images

[saschagrunert]

One part of the container image signing MVP (kubernetes/release#2383) is to provide appropriate documentation about how to verify signed images. We have to find a location on k8s.io about adding general documentation as well as outline manual verification steps.

We should also document possible gaps in the verification process. For example, it is not 100% safe to manually verify the container images. Container runtimes would have to support cosign verification to secure clusters continuously.

Beside that, we should think about consumers of our container images. How could we help them to simplify the signature verification process?

[saschagrunert]

/milestone v1.24

[k8s-ci-robot]

@saschagrunert: You must be a member of the kubernetes/website-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Website milestone maintainers and have them propose you as an additional delegate for this responsibility.

In response to this:

/milestone v1.24

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[saschagrunert]

/help

[sftim]

/sig security
/sig docs
/language en

/remove-help
(I don't feel that this has a low enough barrier to entry at the moment)

[sftim]

/milestone 1.24

[sftim]

Perhaps for an MVP we could document how to configure your cluster so that the control plane nodes insist on signed images, and that code on the control plane (eg kubelet, kube-proxy, etcd, kube-scheduler) is signed and verified.

A future enhancement might then tackle workload images.

How does that sound? Another approach would be to skip explaining how to secure the control plane, and focus on how to ensure that workload Pods are verified.

[jihoon-seo]

/triage accepted

[saschagrunert]

How does that sound? Another approach would be to skip explaining how to secure the control plane, and focus on how to ensure that workload Pods are verified.

Sounds good to me, I would split the verification into two aspects: The manual and the automatic image verification. For the automatic way we require CRI container runtimes to support cosign.

Do you have a location in mind there we put that information? Somewhere there: https://kubernetes.io/releases ?

[PushkarJ]

@saschagrunert let me know if you are looking for someone to work on this

[saschagrunert]

@PushkarJ you can take this over if you want to. I was planning to work on it later this cycle but earlier is even better.

Feel free to draft a PR to supersede #31611 or reach out to me directly if there is anything unclear. :)

[cpanato]

@PushkarJ any update on this? thanks!

[PushkarJ]

@cpanato I will be able to get to this next week as I am out for the rest of the week. If it can not wait, happy for either of you to take over.

[PushkarJ]

Looks like the consensus so far is that we will need two types of docs:

1. Allows admins to manually verify images
2. Allows admins to continuously and automatically verify images of running control plane pods

For option 2, it seems like CRI support for cosign is needed (Would be super cool to see this!!). So until that is in place, I will work on the docs that cover option 1. Sounds good?

[PushkarJ]

/assign
/sig security

[PushkarJ]

WIP PR is open: #32184

[saschagrunert]

This is done :)