Verifying image signature

Skip to first unread message

Jeremy Cowan

Sep 9, 2021, 2:35:07 PM9/9/21
to kubernetes-sig-security
Hi there, I'm new to SIG-Security and I apologize in advance if this is not the right forum for this post. I was curious if the community had a strong opinion about where the verification of image signatures should occur. For example, should it be implemented by the kubelet or should it be implement by an admission controller like OPA/Gatekeeper or a purpose built admission controller like Connoisseur? I found 1 example,, of OPA/Gatekeeper with Cosign. It uses the HTTP send method to send the image URI to a wrapper service for Cosign which returns whether the signature if valid. Do you this this will pattern will prevail or is there a better way to do this? 

Hector Fernandez

Sep 24, 2021, 3:05:03 PM9/24/21
to kubernetes-sig-security

The idea of having the image signature validation at kubelet level sounds good to reduce the latency when creating resources. However, the user experience would be affected.
The kubelet will report the failure once the Pod has already been created. If we identify the steps: the k8s API creates the pod, waits for the scheduler to allocate the pod, schedules that pod on a node, and finally the kubelet fails to create the container due to a wrong signature.
I'd personally recommend to fail in an earlier stage.


Tabitha Sable

Sep 24, 2021, 3:34:30 PM9/24/21
to kubernetes-sig-security

Heya, Jeremy,

I think this is a topic that would be of interest to many SIG Security folks, and could potentially turn into either a KEP or an open-source project if there's sufficient interest.

I'd recommend you bring it up in #sig-security on Kubernetes slack, or come to a meeting and share it with the group there.

Thanks for writing!

Reply all
Reply to author
0 new messages