Paul Bastide

OpenShift 4.21.0 ClusterImagePolicy Feature enforces signature verification

Written by

Paul Bastide

in

,

With OpenShift Container Platform 4.21, Red Hat further improved supply chain security with signature verification for the release image. The verification is controlled by the ClusterImagePolicy which specifies the Root CA and a scope of quay.io/openshift-release-dev/ocp-release. When an image is used on a node, the signatures are pulled from the mirror along with the image, and verified before starting a container.

If you are running a disconnected cluster and the signature is missing from your mirror, you’ll see the following:

  • Install: The bootstrap node hangs and does not install as the signature is not verified.
  • Upgrade: The ClusterImagePolicy enforces signature verification. If the signatures are missing from your mirror, the Cluster Version Operator (CVO) will be blocked, preventing node updates.

In order to continue, you may do one of the following:

  1. Use oc mirror --v2 to mirror your content. This feature automatically honors signatures … see Mirroring images for a disconnected installation using the oc-mirror plugin
  2. If you are currently using oc adm release mirror, you can copy the sig file for the release payload:
$ oc image mirror quay.io/openshift-release-dev/ocp-release:${RELEASE_DIGEST}.sig registry.example.com/openshift/whatever:${RELEASE_DIGEST}.sig

RELEASE_DIGEST:: Specifies your digest image with the : character replaced by a - character. For example: sha256:884e1ff5effeaa04467fab9725900e7f0ed1daa89a7734644f14783014cebdee becomes sha256-884e1ff5effeaa04467fab9725900e7f0ed1daa89a7734644f14783014cebdee.sig.

It is recommended you switch to using oc mirror --v2

Good luck with your disconnected clusters, and ensure image signatures are present in your local mirror using one of the mirroring methods.

References

  1. Red Hat OpenShift Docs: Chapter 12. Manage secure signatures with sigstore
  2. Red Hat Developer: How to verify container signatures in disconnected OpenShift
  3. Red Hat Developer: Verify Cosign bring-your-own PKI signature on OpenShift
  4. Red Hat Developer: How oc-mirror version 2 enables disconnected installations in OpenShift 4.16

More posts