From 5cd005320d7d3afc21ac3b903fd49c9356d191c7 Mon Sep 17 00:00:00 2001 From: Sascha Grunert Date: Wed, 2 Feb 2022 14:57:30 +0100 Subject: [PATCH] Add container image signing docs This patch outlines basic documentation about how container image signing works and which images are signed for official Kubernetes releases. Refers to https://github.com/kubernetes/enhancements/issues/3031 Signed-off-by: Sascha Grunert --- content/en/releases/download.md | 46 ++++++++++++++++++++++++++++++--- 1 file changed, 42 insertions(+), 4 deletions(-) diff --git a/content/en/releases/download.md b/content/en/releases/download.md index aa1fca98a4b53..f586c361db185 100644 --- a/content/en/releases/download.md +++ b/content/en/releases/download.md @@ -2,15 +2,53 @@ title: Download Kubernetes type: docs --- -## Core Kubernetes components + +Kubernetes ships binaries for each component as well as a standard set of client +applications to bootstrap or interact with a cluster. Components like the +Kube API Server are capable of running within container images inside of a +cluster. Those components are also shipped in container images as part of the +official release process. All binaries as well as container images are available +for multiple operating systems as well as hardware architectures. + +## Container Images + +All Kubernetes container images are deployed to the +[k8s.gcr.io](https://console.cloud.google.com/gcr/images/k8s-artifacts-prod/GLOBAL) +container registry. + +{{< feature-state for_k8s_version="v1.24" state="alpha" >}} + +From the beginning of Kubernetes {{< param "version" >}}, the following +container images are signed using [cosign](https://github.com/sigstore/cosign) +signatures: + +| Container Image | Architectures | +| ------------------------------------------ | --------------------------------- | +| k8s.gcr.io/kube-apiserver:v1.24.0 | amd64, arm, arm64, ppc64le, s390x | +| k8s.gcr.io/kube-controller-manager:v1.24.0 | amd64, arm, arm64, ppc64le, s390x | +| k8s.gcr.io/kube-proxy:v1.24.0 | amd64, arm, arm64, ppc64le, s390x | +| k8s.gcr.io/kube-scheduler:v1.24.0 | amd64, arm, arm64, ppc64le, s390x | +| k8s.gcr.io/conformance:v1.24.0 | amd64, arm, arm64, ppc64le, s390x | + +All container images are available for multiple architectures, whereas the +container runtime should choose the correct one based on the underlying +platform. It is also possible to pull a dedicated architecture by suffixing the +container image name, for example `k8s.gcr.io/kube-apiserver-arm64:v1.24.0`. All +those derivations are signed in the same way as the multi-architecture manifest +lists. + + + +## Binaries Find links to download Kubernetes components (and their checksums) in the [CHANGELOG](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG) files. Alternately, use [downloadkubernetes.com](https://www.downloadkubernetes.com/) to filter by version and architecture. -## kubectl +### kubectl + The Kubernetes command-line tool, [kubectl](/docs/reference/kubectl/kubectl/), allows you to run commands against Kubernetes clusters. @@ -18,9 +56,9 @@ You can use kubectl to deploy applications, inspect and manage cluster resources and view logs. For more information including a complete list of kubectl operations, see the [`kubectl` reference documentation](/docs/reference/kubectl/). -kubectl is installable on a variety of Linux platforms, macOS and Windows. +kubectl is installable on a variety of Linux platforms, macOS and Windows. Find your preferred operating system below. - [Install kubectl on Linux](/docs/tasks/tools/install-kubectl-linux) - [Install kubectl on macOS](/docs/tasks/tools/install-kubectl-macos) -- [Install kubectl on Windows](/docs/tasks/tools/install-kubectl-windows) \ No newline at end of file +- [Install kubectl on Windows](/docs/tasks/tools/install-kubectl-windows)