Container images signing and validation

Available since 2.26.0 (17.1.0 and 16.1.0) Technology Preview

Container Cloud uses policy-controller for signature validation of pod images. It verifies that images used by the Container Cloud and Mirantis OpenStack for Kubernetes (MOSK) controllers are signed by a trusted authority. The policy-controller inspects defined image policies that list image registries and authorities for signature validation.

The policy-controller validates only pods with image references from the Container Cloud content delivery network (CDN). Other registries are ignored by the controller.

The policy-controller supports two modes of image policy validation for Container Cloud and MOSK images:

• warn

  Default. Allows controllers to use untrusted images, but a warning message is logged in the policy-controller logs and sent as an admission response.

• enforce

  Experimental. Blocks pod creating and updating operations if a pod image does not have a valid Mirantis signature. If a pod creation or update is blocked in the enforce mode, send the untrusted artifact to Mirantis support for further inspection. To unblock pod operations, switch to the warn mode.

  Warning

  The enforce mode is still under development and is available as an experimental option. Mirantis does not recommend enabling this option for production deployments. The full support for this option will be announced separately in one of the following Container Cloud releases.

In case of unstable connections from the policy-controller to Container Cloud CDN that disrupt pod creation and update operations, you can disable the controller by setting enabled: false in the configuration.

The policy-controller configuration is located in the Cluster object:

spec:
  ...
  providerSpec:
    value:
      ...
      helmReleases:
      ...
      - name: policy-controller
        enabled: [true|false]
        values:
          policy:
            mode: [enforce|warn]