Add container image signing docs

This patch outlines basic documentation about how container image
signing works and which images are signed for official Kubernetes
releases.

Refers to kubernetes/enhancements#3031

Signed-off-by: Sascha Grunert <[email protected]>

content/en/releases/download.md

@@ -2,25 +2,63 @@
 title: Download Kubernetes
 type: docs
 ---
-## Core Kubernetes components
+
+Kubernetes ships binaries for each component as well as a standard set of client
+applications to bootstrap or interact with a cluster. Components like the
+Kube API Server are capable of running within container images inside of a
+cluster. Those components are also shipped in container images as part of the
+official release process. All binaries as well as container images are available
+for multiple operating systems as well as hardware architectures.
+
+## Container Images
+
+All Kubernetes container images are deployed to the
+[k8s.gcr.io](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/GLOBAL)
+container registry.
+
+{{< feature-state for_k8s_version="v1.24" state="alpha" >}}
+
+From the beginning of Kubernetes {{< param "version" >}}, the following
+container images are signed using [cosign](https://github.com/sigstore/cosign)
+signatures:
+
+| Container Image                            | Architectures                     |
+| ------------------------------------------ | --------------------------------- |
+| k8s.gcr.io/kube-apiserver:v1.24.0          | amd64, arm, arm64, ppc64le, s390x |
+| k8s.gcr.io/kube-controller-manager:v1.24.0 | amd64, arm, arm64, ppc64le, s390x |
+| k8s.gcr.io/kube-proxy:v1.24.0              | amd64, arm, arm64, ppc64le, s390x |
+| k8s.gcr.io/kube-scheduler:v1.24.0          | amd64, arm, arm64, ppc64le, s390x |
+| k8s.gcr.io/conformance:v1.24.0             | amd64, arm, arm64, ppc64le, s390x |
+
+All container images are available for multiple architectures, whereas the
+container runtime should choose the correct one based on the underlying
+platform. It is also possible to pull a dedicated architecture by suffixing the
+container image name, for example `k8s.gcr.io/kube-apiserver-arm64:v1.24.0`. All
+those derivations are signed in the same way as the multi-architecture manifest
+lists.
+
+<!-- TODO: describe how to use the signed images -->
+
+## Binaries
 
 Find links to download Kubernetes components (and their checksums) in the [CHANGELOG](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG) files.
 
 Alternately, use [downloadkubernetes.com](https://www.downloadkubernetes.com/) to filter by version and architecture.
 
-## kubectl
+### kubectl
 
 <!-- overview -->
+
 The Kubernetes command-line tool, [kubectl](/docs/reference/kubectl/kubectl/), allows
 you to run commands against Kubernetes clusters.
 
 You can use kubectl to deploy applications, inspect and manage cluster resources,
 and view logs. For more information including a complete list of kubectl operations, see the
 [`kubectl` reference documentation](/docs/reference/kubectl/).
 
-kubectl is installable on a variety of Linux platforms, macOS and Windows. 
+kubectl is installable on a variety of Linux platforms, macOS and Windows.
 Find your preferred operating system below.
 
 - [Install kubectl on Linux](/docs/tasks/tools/install-kubectl-linux)
 - [Install kubectl on macOS](/docs/tasks/tools/install-kubectl-macos)
-- [Install kubectl on Windows](/docs/tasks/tools/install-kubectl-windows)
+- [Install kubectl on Windows](/docs/tasks/tools/install-kubectl-windows)