To run OpenShift sandboxed containers 1.9 with Confidential Containers enabled, you must have the container (workload) image signed.
-
Log in to your Quay registry by running the following command:
$ docker login quay.io -u <username> -p <password> -
Pull the container image onto your local machine.
$ docker pull quay.io/prometheus/busybox:latest -
Tag the container image to your repository in the Quay registry by running the following command:
$ docker tag quay.io/prometheus/busybox:latest quay.io/<username>/busybox:latest -
Push the container image to your repository in the Quay registry by running the following command:
$ docker push quay.io/<username>/busybox -
Install the Cosign Package by running the following command:
$ rpm -ivh --nodeps --force https://github.com/sigstore/cosign/releases/download/v2.4.1/cosign-2.4.1-1.s390x.rpm -
Log in to your Quay registry using cosign by running the following command:
$ cosign login quay.io --username='<username>' --password='<password>' -
Generate a key pair to sign the container image.
$ cosign generate-key-pairThis creates
cosign.keyandcosign.pub. -
Sign and verify the container image in the Quay registry with the private key by running the following command:
$ cosign sign --key cosign.key quay.io/<username>/busybox -
Place the key under
kbsdirectory by running the following command:$ mv cosign.pub kbs/ -
Create the container image signature verification policy by performing the following steps:
-
Create a
containers-policy.jsonfile with the signature verification according to the following example:{ "default": [ ], "transports": { "docker": { "quay.io/<username>/busybox:latest": [ { "type": "sigstoreSigned", "keyPath": "kbs:///default/img-sig/pub-key" } ] } } } -
Place the policy under
kbsdirectory by running the following command:$ mv containers-policy.json kbs/osc
-