Image signing support for image policies
Configure image signing to enable image enforcement.
Note: Container Image Security Enforcement is deprecated from IBM Cloud Pak® for Multicloud Management 2.3 Fix Pack 5, and will be removed in the next release.
Image signing works with Docker content trust and Docker notary service to ensure that the pods are created with the trusted image. By adding the trust policy to the repository, only the signed image with the correct signature can be successfully deployed.
apiVersion: securityenforcement.admission.cloud.ibm.com/v1beta1
kind: ImagePolicy
metadata:
name: mcm-services-ns-image-policy
spec:
repositories:
- name: <<image repository name, such as mycluster.mcm:8500/kube-system/*>
policy:
trust:
enabled: true
signerSecrets:
- name: signername
trustServer: https://<MCM cluster IP>:8443/notary
-
enabledSet to true to enable image signing. -
signerSecretsA list of secrets that stores the signer's public key and name. The name must match the role name that is registered with the notary server for this image. Use the following command to create the secret.kubectl create secret generic <secret_name> --from-literal=name=<signer_name> --from-file=publicKey=<key.pub> -
trustServerThe notary server URL.
Troubleshooting errors during image deployment
- Name or public key is not defined in the signer secret
- Image is not signed, or the trust content is not in the notary server
- Repository is not allowed in the image policy
Name or public key is not defined in the signer secret
Symptom
Internal error occurred: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request: Deny "hyc-cloud-private-scratch-docker-local.artifactory.swg-devops.com/ibmcom/stsapp/stsapp:0.1", could not get signerSecret from your cluster, name, or publicKey field in secret yannisigner is empty
Cause
The name or public key is not defined in the signer secret.
Solution
Make sure that the secret has both name and publicKey attributes defined. The attribute name is case-sensitive.
Image is not signed, or the trust content is not in the notary server
Symptom
Error from server (InternalError): error when creating "stsapp-deployment.yaml": Internal error occurred: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request:
Deny "hyc-cloud-private-scratch-docker-local.artifactory.swg-devops.com/ibmcom/stsapp/stsapp:0.1", failed to get content trust information: 9.46.78.45:8443 does not have trust data for hyc-cloud-private-scratch-docker-local.artifactory.swg-devops.com/ibmcom/stsapp/stsapp-nosign
Cause
The image is not signed, or the trust content is not in the notary server that is specified in the image policy.
Solution
The image must be signed, and the trust content must be pushed to the specified notary server.
Repository is not allowed in the image policy
Symptom
Error from server (InternalError): error when creating "stsapp-nosign-deployment.yaml": Internal error occurred: admission webhook "trust.hooks.securityenforcement.admission.cloud.ibm.com" denied the request:
Deny "hyc-cloud-private-scratch-docker-local.artifactory.swg-devops.com/ibmcom/stsapp/stsapp-nosign:0.1", no matching repositories in ClusterImagePolicy and no ImagePolicies in the "kube-system" namespace
Cause
hyc-cloud-private-scratch-docker-local.artifactory.swg-devops.com is not allowed at the cluster level or the namespace kube-system (no image policy defined for it in kube-system).
Solution
Allowlist the repository in the image policy.