OpenShift 4.22.0 ClusterImagePolicy Feature enforces signature verification on Release and Payload

With OpenShift Container Platform 4.22, Red Hat enforces signature verification for the release image and payload (cluster operators and oeprands). The verification is controlled by the ClusterImagePolicy which specifies the Root CA and a scope of quay.io/openshift-release-dev/ocp-release and quay.io/openshift-release-dev/ocp-v4.0-art-dev. When an image is used on a node, the signatures are pulled from the mirror along with the image, and verified before starting a container. This verification expands on the ocp-release scope.

apiVersion: config.openshift.io/v1
kind: ClusterImagePolicy
metadata:
  name: openshift
spec:
  policy:
    rootOfTrust:
      policyType: PublicKey
      publicKey:
        keyData: ...
  scopes:
  - quay.io/openshift-release-dev/ocp-release
  - quay.io/openshift-release-dev/ocp-v4.0-art-dev
  ...

If you are running a disconnected cluster and the signature is missing from your mirror, you’ll see the following:

  • Install: The bootstrap node hangs and does not install as the signature is not verified.
  • Upgrade: The ClusterImagePolicy enforces signature verification. If the signatures are missing from your mirror, the Cluster Version Operator (CVO) will be blocked, preventing node updates.

In order to continue, you may do one of the following:

  1. Use oc mirror --v2 to mirror your content. This feature automatically honors signatures … see Mirroring images for a disconnected installation using the oc-mirror plugin
  2. If you are currently using oc adm release mirror, you can copy the sig file for the release payload:
$ oc image mirror quay.io/openshift-release-dev/ocp-release:${RELEASE_DIGEST}.sig registry.example.com/openshift/whatever:${RELEASE_DIGEST}.sig

You repeat for each image listed in the release.txt

RELEASE_DIGEST:: Specifies your digest image with the : character replaced by a - character. For example: sha256:884e1ff5effeaa04467fab9725900e7f0ed1daa89a7734644f14783014cebdee becomes sha256-884e1ff5effeaa04467fab9725900e7f0ed1daa89a7734644f14783014cebdee.sig.

You must switch to using oc mirror --v2.

Good luck with your disconnected clusters, and ensure image signatures are present in your local mirror using one of the mirroring methods.

Note: you can use this with your application / deliverable for enhanced security.

References

  1. Red Hat OpenShift Docs: Chapter 12. Manage secure signatures with sigstore
  2. Red Hat Developer: How to verify container signatures in disconnected OpenShift
  3. Red Hat Developer: Verify Cosign bring-your-own PKI signature on OpenShift
  4. IBM Power Blog Mirroring for OpenShift on IBM Power in Disconnected Environments
  5. IBM Power Blog OpenShift 4.21.0 ClusterImagePolicy Feature enforces signature verification

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *