Kaspersky Container Security
2.0
English

Contents

Configuring integration with image signature validators

Kaspersky Container Security can verify the authenticity and validity of the digital signatures of images. To use this functionality, you need to configure integration of the solution with one or more external signature applications. The specifics of signing an image digest, the location of signatures, and protecting signatures depend on the signature application you have selected. The solution supports two configurable external signature validation applications:

  • Notary v1 is a web service developed by Docker that is used to ensure the security of containers at various stages of their life cycle, including the creation and subsequent storage of signatures.
  • Cosign is a web service designed to create signatures for containers, verify signatures, and place signed containers in repositories. The tool was developed as part of the
    Sigstore
    project.

You can configure integration with an image signature validator in the AdministrationIntegrationsImage signature validators section.

Page top
[Topic 265760]

Viewing the list of integrations with signature validators

In the AdministrationIntegrationsImage signature validators section, a table of all configured integrations with image signature validators is displayed.

The table displays the following information about the integrated image signature validators:

  • Name of the validator
  • Description, if one was specified when creating the integration
  • Type of the image signature validator—Notary v1 or Cosign.
  • Web address to which the image signature validator connects

In the table, you can:

Page top
[Topic 274593]

Adding an integration with an image signature validator

To add an integration with an image signature validator:

  1. In the AdministrationIntegrationsImage signature validators section, click the Add signature validator button.

    The integration settings window opens.

  2. In the General information section, enter a policy name and, if necessary, a policy description.
  3. In the Type section, select one of the following signature validators:
    • Notary v1.
    • Cosign.
  4. Depending on the selected signature validator, specify the server authentication credentials:
    • For Notary v1, specify the following settings:
      • Web address – the full web address of the server where image signatures are stored.
      • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

        The secret must be in the Kaspersky Container Security namespace.

      • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
      • Delegations – list of signature holders participating in the signing process.
      • Under Trusted roots, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

        If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

    • For Cosign, specify the following settings:
      • Signature server authentication secret name – the name of the orchestrator secret with credentials for accessing the server where image signatures are stored.

        The secret must be in the Kaspersky Container Security namespace.

      • Certificate – a self-generated certificate for the server where signatures are stored. The certificate is provided in .PEM format.
      • Under Trusted roots, specify the pairs of all public keys that the solution will check during signature verification. A key pair includes the name and value of the key.

        For Cosign, specify the public keys for the ECDSA or RSA algorithms provided by cosign.pub.

        If necessary, you can add additional keys by clicking the Add key pair button. The solution supports up to 20 key pairs.

      • In the Signature requirements section, specify the minimum number of signatures and signature holders who must sign the image.
  5. Click the Save button in the top of the window to save the settings for integration with an image signature validator.

You can use the configured integration in runtime policies to ensure protection of the image content.

Page top
[Topic 265764]

Viewing and editing information about integration with an image signature validator

To view and edit the settings for integration with an image signature validator:

  1. In the AdministrationIntegrationsImage signature validators section, click the integration name link in the list of integrations with signature validators.
  2. If necessary, in the window that opens, edit the integration settings, which depend on the selected signature validator, as follows:
    • For Notary v1, you can modify the following settings:
      • Validator name.
      • Description.
      • URL.
      • Signature server authentication secret name.
      • Certificate.
      • Delegations.
      • Key name.
      • Key value.
    • For Cosign, you can modify the following settings:
      • Signature server authentication secret name.
      • Certificate.
      • Key name.
      • Key value.
      • Threshold.
      • Required signers.
  3. If necessary, add key pairs by clicking the Add key pair button.
  4. Click the Save button in the upper part of the window.
Page top
[Topic 265792]

Removing an integration with an image signature validator

To remove an integration with an image signature validator:

  1. Open the list of the configured integrations with image signature validators.
  2. Select the integration that you want to delete by selecting the check box in the row with the integration name.
  3. Click Delete above the table.

    The Delete button becomes enabled after you select one or more integrations.

  4. In the window that opens, confirm the deletion.
Page top
[Topic 274595]