Menu Close
Settings Close

Language and Page Formatting Options

2.4. 容器镜像签名

红帽为 Red Hat Container Registries 中的镜像提供签名。在使用 Machine Config Operator(MCO)拉取到 OpenShift Container Platform 4 集群时,会自动验证这些签名。

Quay.io 提供了组成 OpenShift Container Platform 的大多数镜像,只有发行镜像会被签名。发行镜像指的是批准的 OpenShift Container Platform 镜像,它可以对供应链攻击提供一定程度的保护。但是,OpenShift Container Platform 的一些扩展(如日志记录、监控和服务网格)会作为 Operator Lifecycle Manager(OLM)的 Operator 提供。这些镜像来自 红帽生态系统目录容器镜像 registry。

要验证这些镜像在红帽 registry 和您的基础架构间的完整性,启用签名验证。

2.4.1. 为 Red Hat Container registry 启用签名验证

启用容器签名验证需要将 registry URL 链接到 sigstore 的文件,然后指定验证镜像的密钥。

流程

  1. 创建将 registry URL 链接到 sigstore 并指定要验证镜像的密钥的文件。

    • 创建 policy.json 文件:

      $ cat > policy.json <<EOF
      {
        "default": [
          {
            "type": "insecureAcceptAnything"
          }
        ],
        "transports": {
          "docker": {
            "registry.access.redhat.com": [
              {
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
              }
            ],
            "registry.redhat.io": [
              {
                "type": "signedBy",
                "keyType": "GPGKeys",
                "keyPath": "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
              }
            ]
          },
          "docker-daemon": {
            "": [
              {
                "type": "insecureAcceptAnything"
              }
            ]
          }
        }
      }
      EOF
    • 创建 registry.access.redhat.com.yaml 文件:

      $ cat <<EOF > registry.access.redhat.com.yaml
      docker:
           registry.access.redhat.com:
               sigstore: https://access.redhat.com/webassets/docker/content/sigstore
      EOF
    • 创建 registry.redhat.io.yaml 文件:

      $ cat <<EOF > registry.redhat.io.yaml
      docker:
           registry.redhat.io:
               sigstore: https://registry.redhat.io/containers/sigstore
      EOF
  2. 使用 base64 编码格式设置用于机器配置模板的文件:

    $ export ARC_REG=$( cat registry.access.redhat.com.yaml | base64 -w0 )
    $ export RIO_REG=$( cat registry.redhat.io.yaml | base64 -w0 )
    $ export POLICY_CONFIG=$( cat policy.json | base64 -w0 )
  3. 创建将导出的文件写入 worker 节点上磁盘的机器配置:

    $ cat > 51-worker-rh-registry-trust.yaml <<EOF
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: worker
      name: 51-worker-rh-registry-trust
    spec:
      config:
        ignition:
          config: {}
          security:
            tls: {}
          timeouts: {}
          version: 2.2.0
        networkd: {}
        passwd: {}
        storage:
          files:
          - contents:
              source: data:text/plain;charset=utf-8;base64,${ARC_REG}
              verification: {}
            filesystem: root
            mode: 420
            path: /etc/containers/registries.d/registry.access.redhat.com.yaml
          - contents:
              source: data:text/plain;charset=utf-8;base64,${RIO_REG}
              verification: {}
            filesystem: root
            mode: 420
            path: /etc/containers/registries.d/registry.redhat.io.yaml
          - contents:
              source: data:text/plain;charset=utf-8;base64,${POLICY_CONFIG}
              verification: {}
            filesystem: root
            mode: 420
            path: /etc/containers/policy.json
      osImageURL: ""
    EOF
  4. 应用创建的机器配置:

    $ oc apply -f 51-worker-rh-registry-trust.yaml
  5. 创建机器配置,将导出的文件写入 master 节点上的磁盘:

    $ cat > 51-master-rh-registry-trust.yaml <<EOF
    apiVersion: machineconfiguration.openshift.io/v1
    kind: MachineConfig
    metadata:
      labels:
        machineconfiguration.openshift.io/role: master
      name: 51-master-rh-registry-trust
    spec:
      config:
        ignition:
          config: {}
          security:
            tls: {}
          timeouts: {}
          version: 2.2.0
        networkd: {}
        passwd: {}
        storage:
          files:
          - contents:
              source: data:text/plain;charset=utf-8;base64,${ARC_REG}
              verification: {}
            filesystem: root
            mode: 420
            path: /etc/containers/registries.d/registry.access.redhat.com.yaml
          - contents:
              source: data:text/plain;charset=utf-8;base64,${RIO_REG}
              verification: {}
            filesystem: root
            mode: 420
            path: /etc/containers/registries.d/registry.redhat.io.yaml
          - contents:
              source: data:text/plain;charset=utf-8;base64,${POLICY_CONFIG}
              verification: {}
            filesystem: root
            mode: 420
            path: /etc/containers/policy.json
      osImageURL: ""
    EOF
  6. 将 master 机器配置更改应用到集群:

    $ oc apply -f 51-master-rh-registry-trust.yaml