Voiced by Amazon Polly |
Overview
Container image signing with AWS Signer Profile and deploying to the Amazon EKS cluster ensures the integrity and authenticity of container images before they are deployed to a Kubernetes cluster. This process involves creating an AWS Signer signing profile, signing the container image with the signing profile, and configuring the Kubernetes cluster to verify the signature of the image before it is deployed. This process helps to ensure that only trusted images are deployed to the cluster, which can help to improve security and compliance.
Pioneers in Cloud Consulting & Migration Services
- Reduced infrastructural costs
- Accelerated application deployment
Introduction
Customers may now sign and validate container images stored in container registries such as Amazon Elastic Container Registry (Amazon ECR) with native AWS support according to a new feature called AWS Signer Container Image Signing.
AWS Signer is a fully managed code signing service to help you ensure the trust and integrity of your container images. Organizations validate images against a digital signature to confirm that the image is unaltered and from a trusted publisher.
Pre-requisites
- Amazon EC2 instance
- Install eksctl
- Install Kubectl
- Install helm
- Install Notation cli
- Docker
- Ratify
- Jq
Steps to be performed on your Amazon EC2 instance
- Attach a role that contains the Amazon ECR, AWS Signer Profile, Amazon EC2, Amazon EKS, and other required permissions to your Amazon EC2 instance.
- Install aws cli, eksctl, helm from: https://codeshare.io/EBxAE4
- Install notation CLI
1 2 3 |
wget https://d2hvyiie56hcat.cloudfront.net/linux/amd64/installer/rpm/latest/aws-signer-notation-cli_amd64.rpm rpm -ivh aws-signer-notation-cli_amd64.rpm |
- Create an Amazon ECR repo, push one sample image to Amazon ECR (ex: nginx image), and export REPO_URI as a global variable for further reference.
Ex: export REPO_URI=<Account_id>. dkr.ecr.ap-south-1.amazonaws.com/<repo_name>
Create Amazon EKS Cluster
1 2 3 4 5 6 7 |
eksctl create cluster\ --name ratify-demo \ --region ap-south-1 \ --zones ap-south-1a,ap-south-1b \ --with-oidc \ --ssh-access \ --ssh-public-key ratifyDemo |
It will take approx. 15 minutes to create the Amazon EKS Cluster with oidc.
Meanwhile, you can sign off on Amazon ECR Image through the notation CLI.
Sign Container image
Create AWS Signer profile and export the ARN as a Global Variable
1 2 3 4 5 |
aws signer put-signing-profile \ --profile-name ratifyDemo \ --platform-id Notation-OCI-SHA384-ECDSA export PROFILE_ARN=$(aws signer get-signing-profile --profile-name ratifyDemo | jq .arn -r) |
1 2 3 4 |
notation key add \ --plugin com.amazonaws.signer.notation.plugin \ --id $PROFILE_ARN \ --default ratifyDemo |
Sign the image with the Image tag
1 2 |
notation sign $REPO_URI:v1 notation inspect $REPO_URI:v1 |
Now, you can verify the Amazon ECR image has been signed successfully, and the signature can be seen in the Console.
Deploy Gatekeeper
Although Gatekeeper serves as Kubernetes’ policy controller, the actual validation of images and their artifacts will be carried out by the Ratify container.
We first need to install Gatekeeper into the cluster. We will use the Gatekeeper helm chart with some customizations:
1 2 3 4 5 6 7 8 |
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts helm install gatekeeper/gatekeeper \ --name-template=gatekeeper \ --namespace gatekeeper-system --create-namespace \ --set enableExternalData=true \ --set validatingWebhookTimeoutSeconds=5 \ --set mutatingWebhookTimeoutSeconds=2 |
Next, we need to deploy a Gatekeeper policy and constraint.
1 2 3 |
kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml |
Configure AWS IAM Permission
Before deploying Ratify, we need to configure Ratify permissions to request AWS Signer. We will use AWS IAM Roles for Service Accounts integration to do this. First, we need to create an AWS IAM policy that has AWS Signer permissions:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
cat > signer_policy.json << EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "signer:GetRevocationStatus" ], "Resource": "*" } ] } EOF export POLICY_ARN=$(aws iam create-policy \ --policy-name signerGetRevocationStatus \ --policy-document file://signer_policy.json \ | jq ."Policy"."Arn" -r) |
Then, we will use eksctl to create a service account and role and attach the policies to the role:
1 2 3 4 5 6 7 |
eksctl create iamserviceaccount \ --name ratify-admin \ --namespace gatekeeper-system \ --cluster ratify-demo \ --attach-policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly \ --attach-policy-arn $POLICY_ARN \ --approve |
We can validate that the service account was created by using kubectl:
1 |
kubectl -n gatekeeper-system get sa |
Deploy Ratify
Now we can deploy Ratify to our cluster with the AWS Signer root as the notation verification certificate:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
helm repo add ratify https://deislabs.github.io/ratify helm repo update curl -sSLO https://d2hvyiie56hcat.cloudfront.net/aws-signer-notation-root.cert helm install ratify \ ratify/ratify --atomic \ --namespace gatekeeper-system \ --set-file notationCert=./aws-signer-notation-root.cert \ --set featureFlags.RATIFY_CERT_ROTATION=true \ --set featureFlags.RATIFY_EXPERIMENTAL_DYNAMIC_PLUGINS=true \ --set serviceAccount.create=false \ --set oras.authProviders.awsEcrBasicEnabled=true |
After deploying Ratify, we will download the AWS Signer notation plugin to the Ratify pod:
1 2 3 4 5 6 7 8 9 10 11 12 13 |
cat > aws-signer-plugin.yaml << EOF apiVersion: config.ratify.deislabs.io/v1beta1 kind: Verifier metadata: name: aws-signer-plugin spec: name: notation-com.amazonaws.signer.notation.plugin artifactTypes: application/vnd.oci.image.manifest.v1+json source: artifact: public.ecr.aws/aws-signer/notation-plugin:linux-amd64-latest EOF kubectl apply -f aws-signer-plugin.yaml |
Finally, we will create a verifier that specifies the trust policy to use when verifying signatures. In this guide, we will use a trust policy that only trusts images signed by the SigningProfile we created earlier:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 |
cat > notation-verifier.yaml << EOF apiVersion: config.ratify.deislabs.io/v1beta1 kind: Verifier metadata: name: verifier-notation spec: name: notation artifactTypes: application/vnd.cncf.notary.signature parameters: verificationCertStores: certs: - ratify-notation-inline-cert trustPolicyDoc: version: "1.0" trustPolicies: - name: default registryScopes: - "*" signatureVerification: level: strict trustStores: - signingAuthority:certs trustedIdentities: - $PROFILE_ARN EOF kubectl apply -f notation-verifier.yaml |
Deploy Container Image:
Now that the signed container image is in the registry and Ratify is installed into the Amazon EKS cluster, we can deploy our container image:
1 |
kubectl run demosigned --image $REPO_URI:latest |
We should see from the Ratify and Gatekeeper logs that the container signature was validated. The pod for the container should also be running.
1 |
kubectl logs -n gatekeeper-system deployment/ratify |
We can also test that an image without a valid signature is not able to run:
1 |
kubectl run demounsigned --image hello-world |
The command should fail with an error, and we should be able to see from the Ratify and Gatekeeper logs that the signature validation failed.
Conclusion
This post provided an overview of AWS Signer Container Image Signing. This new feature allows you to sign and validate your container images using a fully managed solution. You may implement a straightforward client-based procedure for signing and validating your container images using the open-source Notation client with the carefully chosen AWS Signer plugin.
Drop a query if you have any questions regarding AWS Signer Container Image Signing and we will get back to you quickly.
Making IT Networks Enterprise-ready – Cloud Management Services
- Accelerated cloud migration
- End-to-end view of the cloud environment
About CloudThat
CloudThat is a leading provider of Cloud Training and Consulting services with a global presence in India, the USA, Asia, Europe, and Africa. Specializing in AWS, Microsoft Azure, GCP, VMware, Databricks, and more, the company serves mid-market and enterprise clients, offering comprehensive expertise in Cloud Migration, Data Platforms, DevOps, IoT, AI/ML, and more.
CloudThat is recognized as a top-tier partner with AWS and Microsoft, including the prestigious ‘Think Big’ partner award from AWS and the Microsoft Superstars FY 2023 award in Asia & India. Having trained 650k+ professionals in 500+ cloud certifications and completed 300+ consulting projects globally, CloudThat is an official AWS Advanced Consulting Partner, AWS Training Partner, AWS Migration Partner, AWS Data and Analytics Partner, AWS DevOps Competency Partner, Amazon QuickSight Service Delivery Partner, Amazon EKS Service Delivery Partner, Microsoft Gold Partner, AWS Microsoft Workload Partners, Amazon EC2 Service Delivery Partner, and many more.
To get started, go through our Consultancy page and Managed Services Package, CloudThat’s offerings.
FAQs
1. What is the benefit of using AWS Signer Container Image Signing?
ANS: – This new feature helps ensure the trust and integrity of your container images by adding a digital signature. This signature confirms that the image is unaltered and comes from a trusted publisher like you. This is especially important for sensitive workloads or when you must comply with strict security regulations.
2. How does the process of signing and validating container images work?
ANS: – You can sign your images using the open-source Notation client with the AWS Signer plugin. This creates a unique signature that’s stored with the image. Then, Ratify, a policy controller deployed in your EKS cluster, validates the signature against your trust policy. If the signature matches, the image is allowed to run. If not, it’s blocked. This helps prevent unauthorized or compromised images from running in your cluster.
WRITTEN BY Ravikumar Eranna Murali
Ravikumar works as a Sr. Research Associate at CloudThat. His expertise lies in AWS Services and pursuing DevOps technologies like Kubernetes, Docker, and Jenkins. Ravi enjoys learning and working on new challenges to give the best solution.
Click to Comment