|
| 1 | +--- |
| 2 | +title: 验证已签名容器镜像 |
| 3 | +content_type: task |
| 4 | +min-kubernetes-server-version: v1.24 |
| 5 | +--- |
| 6 | +<!-- |
| 7 | +title: Verify Signed Container Images |
| 8 | +content_type: task |
| 9 | +min-kubernetes-server-version: v1.24 |
| 10 | +--> |
| 11 | + |
| 12 | +<!-- overview --> |
| 13 | + |
| 14 | +{{< feature-state state="alpha" for_k8s_version="v1.24" >}} |
| 15 | + |
| 16 | +## {{% heading "prerequisites" %}} |
| 17 | + |
| 18 | +<!-- |
| 19 | +These instructions are for Kubernetes {{< skew currentVersion >}}. If you want |
| 20 | +to check the integrity of components for a different version of Kubernetes, |
| 21 | +check the documentation for that Kubernetes release. |
| 22 | +
|
| 23 | +You will need to have the following tools installed: |
| 24 | +
|
| 25 | +- `cosign` ([install guide](https://docs.sigstore.dev/cosign/installation/)) |
| 26 | +- `curl` (often provided by your operating system) |
| 27 | +--> |
| 28 | +这些说明适用于 Kubernetes {{< skew currentVersion >}}。如果你想要检查其他版本的 Kubernetes 组件的完整性, |
| 29 | +请查看对应 Kubernetes 版本的文档。 |
| 30 | + |
| 31 | +你需要安装以下工具: |
| 32 | + |
| 33 | +- `cosign` ([安装指南](https://docs.sigstore.dev/cosign/installation/)) |
| 34 | +- `curl` (通常由你的操作系统提供) |
| 35 | + |
| 36 | +<!-- |
| 37 | +## Verifying image signatures |
| 38 | +
|
| 39 | +For a complete list of images that are signed please refer |
| 40 | +to [Releases](/releases/download/). |
| 41 | +
|
| 42 | +Let's pick one image from this list and verify its signature using |
| 43 | +the `cosign verify` command: |
| 44 | +--> |
| 45 | +## 验证镜像签名 {#verifying-image-signatures} |
| 46 | + |
| 47 | +完整的镜像签名列表请参见[发行版本](/releases/download/)。 |
| 48 | + |
| 49 | +我们从这个列表中选择一个镜像,并使用 `cosign verify` 命令来验证它的签名: |
| 50 | + |
| 51 | +```shell |
| 52 | +COSIGN_EXPERIMENTAL=1 cosign verify k8s.gcr.io/kube-apiserver-amd64:v1.24.0 |
| 53 | +``` |
| 54 | + |
| 55 | +{{< note >}} |
| 56 | +<!-- |
| 57 | +`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed |
| 58 | +in `KEYLESS` mode. To learn more about keyless signing, please refer to |
| 59 | +[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures) |
| 60 | +--> |
| 61 | +`COSIGN_EXPERIMENTAL=1` 用于对以 `KEYLESS` 模式签名的镜像进行验证。想要进一步了解 `KEYLESS`,请参考 |
| 62 | +[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)。 |
| 63 | +{{< /note >}} |
| 64 | + |
| 65 | +<!-- |
| 66 | +### Verifying images for all control plane components |
| 67 | +
|
| 68 | +To verify all signed control plane images, please run this command: |
| 69 | +--> |
| 70 | +### 验证所有控制平面组件镜像 {#verifying-images-for-all-control-plane-components} |
| 71 | + |
| 72 | +验证所有已签名的控制平面组件镜像,请运行以下命令: |
| 73 | + |
| 74 | +```shell |
| 75 | +curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep 'PackageName: k8s.gcr.io/' | awk '{print $2}' > images.txt |
| 76 | +input=images.txt |
| 77 | +while IFS= read -r image |
| 78 | +do |
| 79 | + COSIGN_EXPERIMENTAL=1 cosign verify "$image" |
| 80 | +done < "$input" |
| 81 | +``` |
| 82 | + |
| 83 | +<!-- |
| 84 | +Once you have verified an image, specify that image by its digest in your Pod |
| 85 | +manifests as per this |
| 86 | +example: `registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`. |
| 87 | +
|
| 88 | +For more information, please refer |
| 89 | +to [Image Pull Policy](/docs/concepts/containers/images/#image-pull-policy) |
| 90 | +section. |
| 91 | +--> |
| 92 | +当你完成某个镜像的验证时,可以在你的 Pod 清单通过摘要值来指定该镜像,例如: |
| 93 | +`registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`。 |
| 94 | + |
| 95 | +要了解更多信息,请参考[镜像拉取策略](/zh-cn/docs/concepts/containers/images/#image-pull-policy)章节。 |
| 96 | + |
| 97 | +<!-- |
| 98 | +## Verifying Image Signatures with Admission Controller |
| 99 | +
|
| 100 | +For non-control plane images ( |
| 101 | +e.g. [conformance image](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md)) |
| 102 | +, signatures can also be verified at deploy time using |
| 103 | +[cosigned](https://docs.sigstore.dev/cosign/kubernetes/#cosigned-admission-controller) |
| 104 | +admission controller. To get started with `cosigned` here are a few helpful |
| 105 | +resources: |
| 106 | +
|
| 107 | +* [Installation](https://github.com/sigstore/helm-charts/tree/main/charts/cosigned) |
| 108 | +* [Configuration Options](https://github.com/sigstore/cosign/tree/main/config) |
| 109 | +--> |
| 110 | +## 使用准入控制器验证镜像签名 {#verifying-image-signatures-with-admission-controller} |
| 111 | + |
| 112 | +有一些非控制平面镜像 |
| 113 | +(例如 [conformance 镜像](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md)), |
| 114 | +也可以在部署时使用 |
| 115 | +[cosigned](https://docs.sigstore.dev/cosign/kubernetes/#cosigned-admission-controller) |
| 116 | +控制器验证其签名。如要使用 `cosigned`,下面是一些有帮助的资源: |
| 117 | + |
| 118 | +* [安装](https://github.com/sigstore/helm-charts/tree/main/charts/cosigned) |
| 119 | +* [配置选项](https://github.com/sigstore/cosign/tree/main/config) |
| 120 | + |
0 commit comments