Kublr starting from version 1.25.1 signs its Docker images. Before downloading Kublr Docker image, you can make sure you deal with the official, signed image.
To check Kublr Docker images signatures, use the verify script presented below.
Script prerequisites:
list.txt - the list of Kublr Docker images. Note that only the cr.kublr.com images are controlled and signed by Kublr.
To get the list file, in the Release Notes for your Kublr version, search for
kublr-agent-images.
cosign.pub - public key, against which the validity of Kublr signatures is checked.
The link for downloading of the public key file will be provided soon.
Cosign - open-source tool used by Kublr for signing container images. You will require it for verifying and image copying as well. If you do not have the tool, install it as described here.
Script:
#!/bin/bash
if [[ $# -eq 0 ]] ; then
echo 'You need to provide list of files and path to the public key'
echo "Example: $0 list.txt cosign.pub"
exit 1
fi
if ! command -v cosign #&> /dev/null
then
echo "COSIGN could not be found, you need to install it first"
exit 1
fi
# maybe add check 'sha256sum $(command -v cosign)'
while read p; do
echo "Get $p"
#registry.kublr-dev.com -> docker.kublr-dev.com
p=${p/registry.kublr-dev.com/docker.kublr-dev.com}
#docker.beta.kublr.com -> cr.kublr.com
p=${p/docker.beta.kublr.com/cr.kublr.com}
echo "Verify $p"
cosign verify --key $2 $p
done <$1
This script:
list.txt, checks Kublr signature using the provided public key.If you deploy Kublr in an air-gapped environment, to copy Kublr Docker images to it, use the copy script presented below.
#!/bin/bash
if [[ $# -eq 0 ]] ;
then
echo 'You need to provide list of files, directory for images and path to your registry'
echo "Example: $0 list.txt images quay.io/username/kublr"
exit 1
fi
if ! command -v cosign #&> /dev/null
then
echo "COSIGN could not be found, you need to install it first"
exit 1
fi
# maybe add check 'sha256sum $(command -v cosign)'
while read p; do
#registry.kublr-dev.com -> docker.kublr-dev.com
p=${p/registry.kublr-dev.com/docker.kublr-dev.com}
#docker.beta.kublr.com -> cr.kublr.com
p=${p/docker.beta.kublr.com/cr.kublr.com}
if [[ $p == *"sha256"* ]];
then
tag=$(echo $p|sed 's:.*/::'|grep -oP '.*?(?=@sha256:)')
else
tag=$(echo $p|sed 's:.*/::')
fi
cosign save $p --dir $2
cosign load --dir $2 $3/$tag
done <$1
This script uses Cosign utility to copy images along with signatures into your isolated environment.
In Kubernetes, you can verify Kublr image signatures using Kyverno policy management utility. This is done using the Verify Image policy that checks the signature of an image repo to ensure it has been signed by verifying its signature against the provided public key.
For details, see the Verify Images article in the Kyverno documentation.
Below is the example that checks new pods in namespaces that begins on k (k*) and have images like quay.io/imname* against the provided public key.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-image
spec:
validationFailureAction: enforce
background: false
rules:
- name: check-image
match:
resources:
kinds:
- Pod
namespaces:
- "k*"
verifyImages:
- image: "quay.io/imname*"
key: |-
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEfL3+vavbafVq8irFR2tkA0dp8Mcw
kyfRk8F9wEbR3TL3y9Doc0YUAY5i7EsFdyhCYMpizDJyV1bOB5Q/ld4oJw==
-----END PUBLIC KEY-----