Mirantis Container Cloud (MCC) becomes part of Mirantis OpenStack for Kubernetes (MOSK)!

Starting with MOSK 25.2, the MOSK documentation set covers all product layers, including MOSK management (formerly Container Cloud). This means everything you need is in one place. Some legacy names may remain in the code and documentation and will be updated in future releases. The separate Container Cloud documentation site will be retired, so please update your bookmarks for continued easy access to the latest content.

Container images signing and validation

Available since MOSK 24.1 TechPreview

Mirantis OpenStack for Kubernetes (MOSK) management uses policy-controller for signature validation of pod images. It verifies that images used by MOSK management and MOSK controllers are signed by a trusted authority. The policy-controller inspects defined image policies that list image registries and authorities for signature validation.

The policy-controller validates only pods with image references from the MOSK management content delivery network (CDN). Other registries are ignored by the controller.

The policy-controller supports two modes of image policy validation for MOSK management and MOSK images:

  • warn

    Default. Allows controllers to use untrusted images, but a warning message is logged in the policy-controller logs and sent as an admission response.

  • enforce

    Experimental. Blocks pod creating and updating operations if a pod image does not have a valid Mirantis signature. If a pod creation or update is blocked in the enforce mode, send the untrusted artifact to Mirantis support for further inspection. To unblock pod operations, switch to the warn mode.

    Warning

    The enforce mode is still under development and is available as an experimental option. Mirantis does not recommend enabling this option for production deployments. The full support for this option will be announced separately in one of the following MOSK releases.

In case of unstable connections from the policy-controller to MOSK management CDN that disrupt pod creation and update operations, you can disable the controller by setting enabled: false in the configuration.

The policy-controller configuration is located in the Cluster object:

spec:
  ...
  providerSpec:
    value:
      ...
      helmReleases:
      ...
      - name: policy-controller
        enabled: [true|false]
        values:
          policy:
            mode: [enforce|warn]