kubernetes
/
website
mirror of https://github.com/kubernetes/website.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
website/content/en/docs/tasks/administer-cluster/verify-signed-artifacts.md

3.4 KiB
Raw Blame History

title content_type min-kubernetes-server-version weight
Verify Signed Kubernetes Artifacts task v1.26 420

{{< feature-state state="beta" for_k8s_version="v1.26" >}}

{{% heading "prerequisites" %}}

These instructions are for Kubernetes {{< skew currentVersion >}}. If you want to check the integrity of components for a different version of Kubernetes, check the documentation for that Kubernetes release.

You will need to have the following tools installed:

  • cosign (install guide)
  • curl (often provided by your operating system)

Verifying binary signatures

The Kubernetes release process signs all binary artifacts (tarballs, SPDX files, standalone binaries) by using cosign's keyless signing. To verify a particular binary, retrieve it together with its signature and certificate:

URL=https://dl.k8s.io/release/v{{< skew currentVersion >}}.0/bin/linux/amd64
BINARY=kubectl

FILES=(
    "$BINARY"
    "$BINARY.sig"
    "$BINARY.cert"
)

for FILE in "${FILES[@]}"; do
    curl -sSfL --retry 3 --retry-delay 3 "$URL/$FILE" -o "$FILE"
done

Then verify the blob by using cosign:

cosign verify-blob "$BINARY" --signature "$BINARY".sig --certificate "$BINARY".cert

{{< note >}} To learn more about keyless signing, please refer to Keyless Signatures. {{< /note >}}

Verifying image signatures

For a complete list of images that are signed please refer to Releases.

Let's pick one image from this list and verify its signature using the cosign verify command:

COSIGN_EXPERIMENTAL=1 cosign verify registry.k8s.io/kube-apiserver-amd64:v{{< skew currentVersion >}}.0

{{< note >}} COSIGN_EXPERIMENTAL=1 is used to allow verification of images signed in KEYLESS mode. To learn more about keyless signing, please refer to Keyless Signatures . {{< /note >}}

Verifying images for all control plane components

To verify all signed control plane images, please run this command:

curl -Ls https://sbom.k8s.io/$(curl -Ls https://dl.k8s.io/release/latest.txt)/release | grep 'PackageName: registry.k8s.io/' | awk '{print $2}' > images.txt
input=images.txt
while IFS= read -r image
do
  COSIGN_EXPERIMENTAL=1 cosign verify "$image"
done < "$input"

Once you have verified an image, specify that image by its digest in your Pod manifests as per this example: registry-url/image-name@sha256:45b23dee08af5e43a7fea6c4cf9c25ccf269ee113168c19722f87876677c5cb2 .

For more information, please refer to Image Pull Policy section.

Verifying Image Signatures with Admission Controller

For non-control plane images ( e.g. conformance image) , signatures can also be verified at deploy time using sigstore policy-controller admission controller. To get started with policy-controller here are a few helpful resources: