Verifying image signature

152 views
Skip to first unread message

Jeremy Cowan

unread,
Sep 9, 2021, 2:35:07 PM9/9/21
to kubernetes-sig-security
Hi there, I'm new to SIG-Security and I apologize in advance if this is not the right forum for this post. I was curious if the community had a strong opinion about where the verification of image signatures should occur. For example, should it be implemented by the kubelet or should it be implement by an admission controller like OPA/Gatekeeper or a purpose built admission controller like Connoisseur? I found 1 example, https://github.com/developer-guy/container-image-sign-and-verify-with-cosign-and-opa, of OPA/Gatekeeper with Cosign. It uses the HTTP send method to send the image URI to a wrapper service for Cosign which returns whether the signature if valid. Do you this this will pattern will prevail or is there a better way to do this? 
-Jeremy

Hector Fernandez

unread,
Sep 24, 2021, 3:05:03 PM9/24/21
to kubernetes-sig-security
Hello,

The idea of having the image signature validation at kubelet level sounds good to reduce the latency when creating resources. However, the user experience would be affected.
The kubelet will report the failure once the Pod has already been created. If we identify the steps: the k8s API creates the pod, waits for the scheduler to allocate the pod, schedules that pod on a node, and finally the kubelet fails to create the container due to a wrong signature.
I'd personally recommend to fail in an earlier stage.

Hector

Tabitha Sable

unread,
Sep 24, 2021, 3:34:30 PM9/24/21
to kubernetes-sig-security

Heya, Jeremy,

I think this is a topic that would be of interest to many SIG Security folks, and could potentially turn into either a KEP or an open-source project if there's sufficient interest.

I'd recommend you bring it up in #sig-security on Kubernetes slack, or come to a meeting and share it with the group there.

Thanks for writing!

Tabitha
Reply all
Reply to author
Forward
0 new messages