|
|
|
|
|
|
by paulfurtado
1359 days ago
|
|
|
If you use cri-o as the runtime along with an openshift container registry, it will actually verify signatures at the runtime layer. In addition to crio, podman and anything based on containers/image supports this too. Really that just means a registry that sends back a header indicating it supports signatures and serves up the right signature endpoints. It's shocking this isn't more common. But if you just want to check signatures at the cluster's point of entry, you can use an admission controller to block the pods from being created with unsigned images. |
|
|