-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add documentation about verifying signed container images #31420
Comments
/milestone v1.24 |
@saschagrunert: You must be a member of the kubernetes/website-milestone-maintainers GitHub team to set the milestone. If you believe you should be able to issue the /milestone command, please contact your Website milestone maintainers and have them propose you as an additional delegate for this responsibility. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/help |
/sig security /remove-help |
/milestone 1.24 |
Perhaps for an MVP we could document how to configure your cluster so that the control plane nodes insist on signed images, and that code on the control plane (eg kubelet, kube-proxy, etcd, kube-scheduler) is signed and verified. A future enhancement might then tackle workload images. How does that sound? Another approach would be to skip explaining how to secure the control plane, and focus on how to ensure that workload Pods are verified. |
/triage accepted |
Sounds good to me, I would split the verification into two aspects: The manual and the automatic image verification. For the automatic way we require CRI container runtimes to support cosign. Do you have a location in mind there we put that information? Somewhere there: https://kubernetes.io/releases ? |
@saschagrunert let me know if you are looking for someone to work on this |
@PushkarJ any update on this? thanks! |
@cpanato I will be able to get to this next week as I am out for the rest of the week. If it can not wait, happy for either of you to take over. |
Looks like the consensus so far is that we will need two types of docs:
For option 2, it seems like CRI support for cosign is needed (Would be super cool to see this!!). So until that is in place, I will work on the docs that cover option 1. Sounds good? |
/assign |
WIP PR is open: #32184 |
This is done :) |
One part of the container image signing MVP (kubernetes/release#2383) is to provide appropriate documentation about how to verify signed images. We have to find a location on k8s.io about adding general documentation as well as outline manual verification steps.
We should also document possible gaps in the verification process. For example, it is not 100% safe to manually verify the container images. Container runtimes would have to support cosign verification to secure clusters continuously.
Beside that, we should think about consumers of our container images. How could we help them to simplify the signature verification process?
The text was updated successfully, but these errors were encountered: