|
1 | 1 | --- |
2 | 2 | layout: blog |
3 | | -title: "Verifying container image signatures within CRI runtimes" |
| 3 | +title: "Verifying Container Image Signatures Within CRI Runtimes" |
4 | 4 | date: 2023-06-29 |
5 | 5 | slug: container-image-signature-verification |
6 | 6 | --- |
@@ -40,7 +40,7 @@ the signatures. |
40 | 40 |
|
41 | 41 | The general usage flow for an admission controller based verification is: |
42 | 42 |
|
43 | | - |
| 43 | +{{< figure src="/blog/2023/06/29/container-image-signature-verification/flow.svg" alt="Create an instance of the policy and annotate the namespace to validate the signatures. Then create the pod. The controller evaluates the policy and if it passes, then it does the image pull if necessary. If the policy evaluation fails, then it will not admit the pod." >}} |
44 | 44 |
|
45 | 45 | A key benefit of this architecture is simplicity: A single instance within the |
46 | 46 | cluster validates the signatures before any image pull can happen in the |
@@ -289,17 +289,17 @@ maintain and define the policies to provide a good user experience around that |
289 | 289 | feature. The CRDs of the policy-controller are great, while we could imagine that |
290 | 290 | a daemon within the cluster can write the policies for CRI-O per namespace. This |
291 | 291 | would make any additional hook obsolete and moves the responsibility of |
292 | | -verifying the image signature to the actual instance which pulls the image. [We |
| 292 | +verifying the image signature to the actual instance which pulls the image. [I |
293 | 293 | evaluated][thread] other possible paths toward a better container image |
294 | | -signature verification within plain Kubernetes, but we could not find a great fit |
295 | | -for a native API. This means that we believe that a CRD is the way to go, but we |
296 | | -still need an instance which actually serves it. |
| 294 | +signature verification within plain Kubernetes, but I could not find a great fit |
| 295 | +for a native API. This means that I believe that a CRD is the way to go, but |
| 296 | +users still need an instance which actually serves it. |
297 | 297 |
|
298 | 298 | [thread]: https://groups.google.com/g/kubernetes-sig-node/c/kgpxqcsJ7Vc/m/7X7t_ElsAgAJ |
299 | 299 |
|
300 | 300 | Thank you for reading this blog post! If you're interested in more, providing |
301 | | -feedback or asking for help, then feel free to get in touch with us directly via |
302 | | -[Slack (#crio)][slack] or the [SIG node mailing list][mail]. |
| 301 | +feedback or asking for help, then feel free to get in touch with me directly via |
| 302 | +[Slack (#crio)][slack] or the [SIG Node mailing list][mail]. |
303 | 303 |
|
304 | 304 | [slack]: https://kubernetes.slack.com/messages/crio |
305 | 305 | [mail]: https://groups.google.com/forum/#!forum/kubernetes-sig-node |
0 commit comments