Container images signing and validation¶
Available since 2.26.0 (17.1.0 and 16.1.0) Technology Preview
Container Cloud uses policy-controller
for signature validation of
pod images. It verifies that images used by the Container Cloud and
Mirantis OpenStack for Kubernetes (MOSK) controllers are signed by a trusted
authority. The policy-controller
inspects defined image policies that
list image registries and authorities for signature validation.
The policy-controller
validates only pods with image references from
the Container Cloud content delivery network (CDN). Other registries are
ignored by the controller.
The policy-controller
supports two modes of image policy validation for
Container Cloud and MOSK images:
warn
Default. Allows controllers to use untrusted images, but a warning message is logged in the
policy-controller
logs and sent as an admission response.
enforce
Experimental. Blocks pod creating and updating operations if a pod image does not have a valid Mirantis signature. If a pod creation or update is blocked in the
enforce
mode, send the untrusted artifact to Mirantis support for further inspection. To unblock pod operations, switch to thewarn
mode.Warning
The
enforce
mode is still under development and is available as an experimental option. Mirantis does not recommend enabling this option for production deployments. The full support for this option will be announced separately in one of the following Container Cloud releases.
In case of unstable connections from the policy-controller
to Container
Cloud CDN that disrupt pod creation and update operations, you can disable
the controller by setting enabled: false
in the configuration.
The policy-controller
configuration is located in the Cluster
object:
spec:
...
providerSpec:
value:
...
helmReleases:
...
- name: policy-controller
enabled: [true|false]
values:
policy:
mode: [enforce|warn]