Sign images that MKE can trust
Mirantis Kubernetes Engine (MKE) can be configured to enforce signature verification, ensuring that only images signed by trusted entities can be deployed on your cluster.
Because Cosign signatures are standard OCI artifacts stored directly inside Mirantis Secure Registry (MSR), you can use the cryptographic user keys provided in your MKE client bundle to sign images. This allows MKE to confirm that a deployment came from an authorized user or team identity.
Prerequisites
Complete the following steps before you start signing images:
Install the Cosign CLI on your local machine.
Confirm that your local machine has network access to MSR and log in to the registry:
$ docker login msr.example.com
Download an MKE client bundle for the user identity that will sign the images. The bundle contains the cryptographic user certificates (
cert.pemandkey.pem) recognized by MKE’s RBAC engine.
Import your MKE bundle keys into Cosign
Cosign can use your existing client bundle keys, but they must first
be converted into Cosign’s expected format. Navigate to the directory
containing your unzipped MKE client bundle and run the
import-key-pair command:
$ # Verify your bundle files are present
$ ls cert.pem key.pem
$ # Import the MKE private key into Cosign format
$ cosign import-key-pair --key key.pem
When prompted, enter and confirm a password. This generates two files in your current working directory:
import-cosign.key— the encrypted private key used to sign images.import-cosign.pub— the public key used for verification.
For more details on key management utilities, see Importing Key Pairs in the official Sigstore documentation.
Sign the image tag
To sign your container image using your imported MKE-associated key, run:
$ cosign sign --key import-cosign.key \
msr.example.com/marketing/nginx:v1
Cosign prompts for the password you set during the import step, then pushes the cryptographic signature directly to your MSR repository alongside your image manifest.
Enforce signature verification in MKE 3
TechPreview
Warning
This feature is not yet available. It is planned for a future MKE 3 update following the MSR 2.10.0 release. Confirm feature availability in your MKE version before attempting configuration.
After your images are signed using identities known to MKE, configure your cluster to block unsigned images:
Log in to the MKE web interface as an administrator.
Navigate to Admin > Admin Settings > Cosign (formerly Docker Content Trust).
Toggle the enforcement policy and supply the required verification parameters so that only verified images can be scheduled onto the cluster.
With this policy active, any attempt to deploy a workload using an unsigned image or an image signed by an untrusted key is rejected by MKE.
Note
If your MSR instance uses a self-signed CA, confirm that your
local machine trusts the MSR CA, or configure the registry under
insecure-registries in the Docker daemon.json file so that
Cosign can connect to MSR to push signatures.