Creating a signed container image
To run OpenShift sandboxed containers 1.12 with Confidential Containers enabled, you must have the container (workload) image signed.
- Log in to your Quay registry by running the following
command:
$ docker login quay.io -u <username> -p <password> - Pull the container image onto your local
machine.
$ docker pull quay.io/prometheus/busybox:latest - Tag the container image to your repository in the Quay registry by running the
following
command:
$ docker tag quay.io/prometheus/busybox:latest quay.io/<username>/busybox:latest - Push the container image to your repository in the Quay registry by running the
following
command:
$ docker push quay.io/<username>/busybox - Install the Cosign Package by running the following
command:
$ rpm -ivh --nodeps --force https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-2.4.1-1.s390x.rpm - Log in to your Quay registry using cosign by running the following
command:
$ cosign login quay.io --username='<username>' --password='<password>' - Generate a key pair to sign the container
image.
$ cosign generate-key-pairThis creates
cosign.keyandcosign.pub. - Sign and verify the container image in the Quay registry with the private key by
running the following
command:
$ cosign sign --key cosign.key quay.io/<username>/busybox - Place the key under
kbsdirectory by running the following command:$ mv cosign.pub kbs/ - Create the container image signature verification policy by performing the following
steps:
- Create a
containers-policy.jsonfile with the signature verification according to the following example:{ "default": [ ], "transports": { "docker": { "quay.io/<username>/busybox:latest": [ { "type": "sigstoreSigned", "keyPath": "kbs:///default/img-sig/pub-key" } ] } } } - Place the policy under
kbsdirectory by running the following command:$ mv containers-policy.json kbs/osc
- Create a