Task Page for Verifying Signed Images (#32184)

PushkarJ · saschagrunert · Tim Bannister · web-flow · commit ba6776b2a677 · 2022-04-12T08:29:23.000-07:00
* Add container image signing docs

Signed-off-by: Sascha Grunert &lt;sgrunert@redhat.com&gt;

* Creates a task page to verify signed control plane container images

* Added info about cosigned and why we need cosign in experimental mode

Updates based on PR review

Apply suggestions from code review

Co-authored-by: Tim Bannister &lt;tim@scalefactory.com&gt;

* Uses K8s SBoM to get list of signed images

Apply suggestions from code review

Co-authored-by: Qiming Teng &lt;tengqm@outlook.com&gt;
Co-authored-by: Chris Negus &lt;cnegus@redhat.com&gt;

* Add current scope of sign/verify

Co-authored-by: Sascha Grunert &lt;sgrunert@redhat.com&gt;
Co-authored-by: Tim Bannister &lt;tim@scalefactory.com&gt;
Co-authored-by: Qiming Teng &lt;tengqm@outlook.com&gt;
Co-authored-by: Chris Negus &lt;cnegus@redhat.com&gt;
diff --git a/content/en/docs/tasks/administer-cluster/verify-signed-images.md b/content/en/docs/tasks/administer-cluster/verify-signed-images.md
@@ -0,0 +1,72 @@
+---
+title: Verify Signed Container Images
+content_type: task
+min-kubernetes-server-version: v1.24
+---
+
+<!-- overview -->
+
+{{< feature-state state="alpha" for_k8s_version="v1.24" >}}
+
+## {{% heading "prerequisites" %}}
+
+These instructions are for Kubernetes {{< skew currentVersion >}}. If you want
+to check the integrity of components for a different version of Kubernetes,
+check the documentation for that Kubernetes release.
+
+You will need to have the following tools installed:
+
+- `cosign` ([install guide](https://docs.sigstore.dev/cosign/installation/))
+- `curl` (often provided by your operating system)
+
+## Verifying image signatures
+
+For a complete list of images that are signed please refer
+to [Releases](/releases/download/).
+
+Let's pick one image from this list and verify its signature using
+the `cosign verify` command:
+
+```shell
+COSIGN_EXPERIMENTAL=1 cosign verify k8s.gcr.io/kube-apiserver-amd64:v1.24.0
+```
+
+{{< note >}}
+`COSIGN_EXPERIMENTAL=1` is used to allow verification of images signed
+in `KEYLESS` mode. To learn more about keyless signing, please refer to
+[Keyless Signatures](https://github.com/sigstore/cosign/blob/main/KEYLESS.md#keyless-signatures)
+. {{< /note >}}
+
+### Verifying images for all control plane components
+
+To verify all signed control plane images, please run this command:
+
+```shell
+curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep 'PackageName: k8s.gcr.io/' | awk '{print $2}' > images.txt
+input=images.txt
+while IFS= read -r image
+do
+  COSIGN_EXPERIMENTAL=1 cosign verify "$image"
+done < "$input"
+```
+
+Once you have verified an image, specify that image by its digest in your Pod
+manifests as per this
+example: `registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2`
+.
+
+For more information, please refer
+to [Image Pull Policy](/docs/concepts/containers/images/#image-pull-policy)
+section.
+
+## Verifying Image Signatures with Admission Controller
+
+For non-control plane images (
+e.g. [conformance image](https://github.com/kubernetes/kubernetes/blob/master/test/conformance/image/README.md))
+, signatures can also be verified at deploy time using
+[cosigned](https://docs.sigstore.dev/cosign/kubernetes/#cosigned-admission-controller)
+admission controller. To get started with `cosigned` here are a few helpful
+resources:
+
+* [Installation](https://github.com/sigstore/helm-charts/tree/main/charts/cosigned)
+* [Configuration Options](https://github.com/sigstore/cosign/tree/main/config)
diff --git a/content/en/releases/download.md b/content/en/releases/download.md
@@ -3,6 +3,8 @@ title: Download Kubernetes
 type: docs
 ---
 
+# Core Kubernetes components
+
 Kubernetes ships binaries for each component as well as a standard set of client
 applications to bootstrap or interact with a cluster. Components like the
 Kube API Server are capable of running within container images inside of a
@@ -68,7 +70,21 @@ container image name, for example
 [`k8s.gcr.io/kube-apiserver-arm64:{{< param "fullversion" >}}`][0-arm64]. All
 those derivations are signed in the same way as the multi-architecture manifest lists.
 
-<!-- TODO: describe how to use the signed images -->
+The Kubernetes project publishes a list of signed Kubernetes container images
+in SBoM (Software Bill of Materials) format.
+You can fetch that list using:
+
+```shell
+curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep 'PackageName: k8s.gcr.io/' | awk '{print $2}'
+```
+For Kubernetes v{{< skew currentVersion >}}, the only kind of code artifact that
+you can verify integrity for is a container image, using the experimental
+signing support.
+
+To manually verify signed container images of Kubernetes core components, please refer to
+[Verify Signed Container Images](/docs/tasks/administer-cluster/verify-signed-images).
+
+
 
 ## Binaries
 
