我的书签
添加书签
移除书签Verify Signed Kubernetes Artifacts
These instructions are for Kubernetes 1.27. If you want to check the integrity of components for a different version of Kubernetes, check the documentation for that Kubernetes release.
You will need to have the following tools installed:
curl(often provided by your operating system)
The Kubernetes release process signs all binary artifacts (tarballs, SPDX files, standalone binaries) by using cosign’s keyless signing. To verify a particular binary, retrieve it together with its signature and certificate:
cosign v1.9.0 is required to be able to use the --certificate flag. Please use --cert for older versions of cosign.
Note: To learn more about keyless signing, please refer to Keyless Signatures.
For a complete list of images that are signed please refer to Releases.
Note: COSIGN_EXPERIMENTAL=1 is used to allow verification of images signed in KEYLESS mode. To learn more about keyless signing, please refer to .
To verify all signed control plane images, please run this command:
Once you have verified an image, specify that image by its digest in your Pod manifests as per this example: .
For non-control plane images ( e.g. conformance image) , signatures can also be verified at deploy time using admission controller. To get started with policy-controller here are a few helpful resources:
