我的书签
添加书签
移除书签Verify Signed Kubernetes Artifacts
These instructions are for Kubernetes 1.26. If you want to check the integrity of components for a different version of Kubernetes, check the documentation for that Kubernetes release.
You will need to have the following tools installed:
curl(often provided by your operating system)
The Kubernetes release process signs all binary artifacts (tarballs, SPDX files, standalone binaries) by using cosign’s keyless signing. To verify a particular binary, retrieve it together with its signature and certificate:
Note: To learn more about keyless signing, please refer to Keyless Signatures.
For a complete list of images that are signed please refer to Releases.
Let’s pick one image from this list and verify its signature using the cosign verify command:
To verify all signed control plane images, please run this command:
Once you have verified an image, specify that image by its digest in your Pod manifests as per this example: registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 .
For more information, please refer to Image Pull Policy section.
