From 7949cf3778eecdc6ce9efa999ef9315974a4c163 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Wed, 21 Jun 2023 09:03:17 +0200 Subject: [PATCH] Add paragraph about the docker-reference Signed-off-by: Sascha Grunert --- .../index.md | 42 ++++++++++++++++++- 1 file changed, 41 insertions(+), 1 deletion(-) diff --git a/content/en/blog/_posts/2023-06-29-container-image-signature-verification/index.md b/content/en/blog/_posts/2023-06-29-container-image-signature-verification/index.md index fb7dbdadb9..644ff5c34e 100644 --- a/content/en/blog/_posts/2023-06-29-container-image-signature-verification/index.md +++ b/content/en/blog/_posts/2023-06-29-container-image-signature-verification/index.md @@ -171,7 +171,47 @@ for it: FATA[…] pulling image: rpc error: code = Unknown desc = SignatureValidationFailed: Source image rejected: A signature was required, but no signature exists ``` -The error code `SignatureValidationFailed` got [recently added to +It's important to mention that CRI-O will match the +`.critical.identity.docker-reference` field within the signature to match with +the image repository. For example, if I verify the image +`registry.k8s.io/kube-apiserver-amd64:v1.28.0-alpha.3`, then the corresponding +`docker-reference` should be `registry.k8s.io/kube-apiserver-amd64`: + +```console +> cosign verify registry.k8s.io/kube-apiserver-amd64:v1.28.0-alpha.3 \ + --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \ + --certificate-oidc-issuer https://accounts.google.com \ + | jq -r '.[0].critical.identity."docker-reference"' +… + +registry.k8s.io/kubernetes/kube-apiserver-amd64 +``` + +The Kubernetes community introduced `registry.k8s.io` as proxy mirror for +various registries. Before the release of [kpromo v4.0.2][kpromo], images +had been signed with the actual mirror rather than `registry.k8s.io`: + +[kpromo]: https://github.com/kubernetes-sigs/promo-tools/releases/tag/v4.0.2 + +```console +> cosign verify registry.k8s.io/kube-apiserver-amd64:v1.28.0-alpha.2 \ + --certificate-identity krel-trust@k8s-releng-prod.iam.gserviceaccount.com \ + --certificate-oidc-issuer https://accounts.google.com \ + | jq -r '.[0].critical.identity."docker-reference"' +… + +asia-northeast2-docker.pkg.dev/k8s-artifacts-prod/images/kubernetes/kube-apiserver-amd64 +``` + +The change of the `docker-reference` to `registry.k8s.io` makes it easier for +end users to validate the signatures, because the cannot know anything about the +underlying infrastructure being used. The feature to set the identity on image +signing has been added to [cosign][cosign-pr] via the flag `sign +--sign-container-identity` as well and will be part of its upcoming release. + +[cosign-pr]: https://github.com/sigstore/cosign/pull/2984 + +The Kubernetes image pull error code `SignatureValidationFailed` got [recently added to Kubernetes][pr-117717] and will be available from v1.28. This error code allows end-users to understand image pull failures directly from the kubectl CLI. For example, if you run CRI-O together with Kubernetes using the policy which requires