Monitoring the integrity and origin of images
March 27, 2024
ID 263762
When scanning images in CI/CD, Kaspersky Container Security protects against image spoofing at the registry level. The integrity and origin of images of containers deployed in an orchestrator cluster is controlled by verifying image signatures, starting at the build stage in CI.
Image integrity is monitored in two stages:
- Container images are signed after they are created. This process is implemented using external signature applications.
- Image signatures are checked before images are deployed.
The solution saves a signature key, which is based on the SHA256 hash function and used as the code for signature validation. When deployed in an orchestrator, Kaspersky Container Security asks the signature server to confirm the authenticity of the signature.
Kaspersky Container Security checks image signatures as follows:
- In the Administration → Integrations → Image signature validators section, you can configure the settings for integrating the solution with external image signature validation applications.
- In the Policies → Runtime policies → Policies section, a runtime policy is added to protect the content of the image. This runtime policy validates the authenticity of signatures. Digital signatures are validated based on the configured image signature validators.
- The orchestrator starts image deployment and uses a dynamic admission controller to make a deployment request to the Agent (kube-agent).
To send the request to the Kaspersky Container Security Agent, configure the dynamic admission controller in the values.yaml configuration file.
- Based on the applicable runtime policy, the Agent checks the signature validation settings configured in the Administration → Integrations → Image signature validators section.
- If the check confirms the authenticity and validity of the signature, the solution allows image deployment. Otherwise, deployment is blocked.
