我的书签
添加书签
移除书签Container image signatures
Quay.io serves most of the images that make up OKD, and only the release image is signed. Release images refer to the approved OKD images, offering a degree of protection against supply chain attacks. However, some extensions to OKD, such as logging, monitoring, and service mesh, are shipped as Operators from the Operator Lifecycle Manager (OLM). Those images ship from the registry.
To verify the integrity of those images between Red Hat registries and your infrastructure, enable signature verification.
Enabling container signature validation for Red Hat Container Registries requires writing a signature verification policy file specifying the keys to verify images from these registries. For RHEL8 nodes, the registries are already defined in by default.
Procedure
Create a Butane config file,
51-worker-rh-registry-trust.bu, containing the necessary configuration for the worker nodes.Use Butane to generate a machine config YAML file,
51-worker-rh-registry-trust.yaml, containing the file to be written to disk on the worker nodes:$ butane 51-worker-rh-registry-trust.bu -o 51-worker-rh-registry-trust.yaml
Apply the created machine config:
$ oc apply -f 51-worker-rh-registry-trust.yaml
Check that the worker machine config pool has rolled out with the new machine config:
Check that the new machine config was created:
$ oc get mc
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE00-master a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m00-worker a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m01-master-container-runtime a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m01-master-kubelet a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m01-worker-container-runtime a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m01-worker-kubelet a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m51-master-rh-registry-trust 3.2.0 13s51-worker-rh-registry-trust 3.2.0 53s (1)99-master-generated-crio-seccomp-use-default 3.2.0 25m99-master-generated-registries a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m99-master-ssh 3.2.0 28m99-worker-generated-crio-seccomp-use-default 3.2.0 25m99-worker-generated-registries a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 25m99-worker-ssh 3.2.0 28mrendered-master-af1e7ff78da0a9c851bab4be2777773b a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 8srendered-master-cd51fd0c47e91812bfef2765c52ec7e6 a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 24mrendered-worker-2b52f75684fbc711bd1652dd86fd0b82 a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 24mrendered-worker-be3b3bce4f4aa52a62902304bac9da3c a2178ad522c49ee330b0033bb5cb5ea132060b0a 3.2.0 48s (2)
Check that the worker machine config pool is updating with the new machine config:
$ oc get mcp
Sample output
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGEmaster rendered-master-af1e7ff78da0a9c851bab4be2777773b True False False 3 3 3 0 30mworker rendered-worker-be3b3bce4f4aa52a62902304bac9da3c False True False 3 0 0 0 30m (1)
If your cluster uses any RHEL7 worker nodes, when the worker machine config pool is updated, create YAML files on those nodes in the
/etc/containers/registries.ddirectory, which specify the location of the detached signatures for a given registry server. The following example works only for images hosted inregistry.access.redhat.comandregistry.redhat.io.Start a debug session to each RHEL7 worker node:
Change your root directory to
/host:sh-4.2# chroot /host
Create a
/etc/containers/registries.d/registry.redhat.io.yamlfile that contains the following:docker:registry.redhat.io:sigstore: https://registry.redhat.io/containers/sigstore
Create a
/etc/containers/registries.d/registry.access.redhat.com.yamlfile that contains the following:docker:registry.access.redhat.com:sigstore: https://access.redhat.com/webassets/docker/content/sigstore
Exit the debug session.
After you apply the machine configs to the cluster, the Machine Config Controller detects the new MachineConfig object and generates a new rendered-worker-<hash> version.
Prerequisites
- You enabled signature verification by using a machine config file.
On the command line, run the following command to display information about a desired worker:
$ oc describe machineconfigpool/worker
Example output of initial worker monitoring
Name: workerNamespace:Labels: machineconfiguration.openshift.io/mco-built-in=Annotations: <none>API Version: machineconfiguration.openshift.io/v1Kind: MachineConfigPoolMetadata:Creation Timestamp: 2019-12-19T02:02:12ZGeneration: 3Resource Version: 16229Self Link: /apis/machineconfiguration.openshift.io/v1/machineconfigpools/workerUID: 92697796-2203-11ea-b48c-fa163e3940e5Spec:Configuration:Source:API Version: machineconfiguration.openshift.io/v1Name: 00-workerAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 01-worker-container-runtimeAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 01-worker-kubeletAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 51-worker-rh-registry-trustAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 99-worker-92697796-2203-11ea-b48c-fa163e3940e5-registriesAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 99-worker-sshMachine Config Selector:Match Labels:machineconfiguration.openshift.io/role: workerNode Selector:Match Labels:node-role.kubernetes.io/worker:Paused: falseStatus:Conditions:Last Transition Time: 2019-12-19T02:03:27ZMessage:Reason:Status: FalseType: RenderDegradedLast Transition Time: 2019-12-19T02:03:43ZMessage:Reason:Status: FalseType: NodeDegradedLast Transition Time: 2019-12-19T02:03:43ZMessage:Reason:Status: FalseType: DegradedLast Transition Time: 2019-12-19T02:28:23ZMessage:Reason:Status: FalseType: UpdatedLast Transition Time: 2019-12-19T02:28:23ZMessage: All nodes are updating to rendered-worker-f6819366eb455a401c42f8d96ab25c02Reason:Status: TrueType: UpdatingConfiguration:Name: rendered-worker-d9b3f4ffcfd65c30dcf591a0e8cf9b2eSource:API Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 00-workerAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 01-worker-container-runtimeAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 01-worker-kubeletKind: MachineConfigAPI Version: machineconfiguration.openshift.io/v1Kind: MachineConfigName: 99-worker-sshDegraded Machine Count: 0Machine Count: 1Observed Generation: 3Ready Machine Count: 0Unavailable Machine Count: 1Updated Machine Count: 0Events: <none>
Run the
oc describecommand again:$ oc describe machineconfigpool/worker
Example output after the worker is updated
Confirm that the
policy.jsonfile exists with the following command:$ oc debug node/<node> -- chroot /host cat /etc/containers/policy.json
Example output
Starting pod/<node>-debug ...To use host binaries, run `chroot /host`{"default": [{"type": "insecureAcceptAnything"}],"transports": {"docker": {"registry.access.redhat.com": [{"type": "signedBy","keyType": "GPGKeys","keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"}],"registry.redhat.io": [{"type": "signedBy","keyType": "GPGKeys","keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"}]},"docker-daemon": {"": [{"type": "insecureAcceptAnything"}]}}}
Confirm that the
registry.redhat.io.yamlfile exists with the following command:$ oc debug node/<node> -- chroot /host cat /etc/containers/registries.d/registry.redhat.io.yaml
Example output
Starting pod/<node>-debug ...To use host binaries, run `chroot /host`docker:registry.redhat.io:sigstore: https://registry.redhat.io/containers/sigstore
Confirm that the
registry.access.redhat.com.yamlfile exists with the following command:$ oc debug node/<node> -- chroot /host cat /etc/containers/registries.d/registry.access.redhat.com.yaml
Starting pod/<node>-debug ...To use host binaries, run `chroot /host`docker:registry.access.redhat.com:
