You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Making sure a solution works with trusted container images is an important security aspect that has to be covered by any container management solution.
Different projects have already addressed the issue:
moby's with Notary - obsolete v1 supported and integrated by Docker, v2 - to be scheduled for a future release if/when stable
sigstore's Cosign - production-ready supported and integrated by different RedHat solutions
Based on the possible options and their status, Cosign can be integrated as a first step to enhance the security of the Kanto container management component for signed images support and verification.
As this task was delayed in time, here is an update for the current container image signing perspective. While the OCI image spec does not have an official 1.1.0 release, it is on it's fifth release candidate and official 1.1.0 version is expected soon. The main feature in OCI image spec 1.1.0 is to natively store, discover, and pull a graph of content(signatures, SBoM and etc.) associated with specific container images in a registry. The notary/notation-go(aka notary v2) is a library that supports Notation sign, verify, push, pull of OCI artifacts, which adopts the 1.1.0 OCI image spec.
Kanto Container Management must adhere to OCI spec and provide signed image verification using notary instead of cosign.
Making sure a solution works with trusted container images is an important security aspect that has to be covered by any container management solution.
Different projects have already addressed the issue:
Based on the possible options and their status, Cosign can be integrated as a first step to enhance the security of the Kanto container management component for signed images support and verification.
Tasks:
The text was updated successfully, but these errors were encountered: