Skip to content

Verifying Wallarm Docker Image Signatures

Wallarm signs and shares the public key for its Docker images, enabling you to verify their authenticity and mitigate risks like compromised images and supply chain attacks. This article provides instructions for verifying Wallarm Docker image signatures.

The list of signed images

Wallarm signs the following Docker images:

Requirements

To ensure the authenticity of Wallarm Docker images, Cosign is used for both signing and verification.

Before proceeding with Docker image signature verification, make sure to install the Cosign command-line utility on your local machine or within your CI/CD pipeline.

Running Docker image signature verification

To verify a Docker image signature, execute the following commands replacing the WALLARM_DOCKER_IMAGE value with the specific image tag:

export WALLARM_DOCKER_IMAGE="wallarm/ingress-controller:4.6.2-1"
cosign verify --key https://repo.wallarm.com/cosign.pub $WALLARM_DOCKER_IMAGE

The output should provide the docker-manifest-digest object with the image digest, e.g.:

[{"critical":{"identity":{"docker-reference":"index.docker.io/<WALLARM_DOCKER_IMAGE>"},
"image":{"docker-manifest-digest":"<HASH_ALGORITHM>"},"type":"cosign container image signature"},
"optional":{"Bundle":{"SignedEntryTimestamp":"<VALUE>","Payload":{"body":"<VALUE>",
"integratedTime":<VALUE>,"logIndex":<VALUE>,"logID":"<VALUE>"}}}}]

Using Kubernetes policy engine for signature verification

Engines such as Kyverno or the Open Policy Agent (OPA) allow for Docker image signature verification within your Kubernetes cluster. By crafting a policy with rules for verification, Kyverno initiates the image signature verification based on defined criteria, including repositories or tags. The verification takes place during the Kubernetes resource deployment.

Here is an example of how to use Kyverno policy for Wallarm Docker image signature verification:

  1. Install Kyverno on your cluster and ensure all pods are operational.

  2. Create the following Kyverno YAML policy:

    apiVersion: kyverno.io/v1
    kind: ClusterPolicy
    metadata:
      name: verify-wallarm-images
    spec:
      webhookTimeoutSeconds: 30
      validationFailureAction: Enforce
      background: false
      failurePolicy: Fail
      rules:
        - name: verify-wallarm-images
          match:
            any:
              - resources:
                  kinds:
                    - Pod
          verifyImages:
            - imageReferences:
                - docker.io/wallarm/ingress*
                - docker.io/wallarm/sidecar*
              attestors:
                - entries:
                    - keys:
                        kms: https://repo.wallarm.com/cosign.pub
    
  3. Apply the policy:

    kubectl apply -f <PATH_TO_POLICY_FILE>
    
  4. Deploy either the Wallarm NGINX Ingress controller or Sidecar Controller, depending on your requirements. The Kyverno policy will be applied during deployment to check the image's signature.

  5. Analyze the verification results by executing:

    kubectl describe ClusterPolicy verify-wallarm-images
    

You will receive a summary detailing the signature verification status:

Events:
  Type    Reason         Age                From               Message
  ----    ------         ----               ----               -------
  Normal  PolicyApplied  50s (x2 over 50s)  kyverno-admission  Deployment wallarm-sidecar/wallarm-sidecar-wallarm-sidecar-controller: pass
  Normal  PolicyApplied  48s                kyverno-admission  Pod wallarm-sidecar/wallarm-sidecar-wallarm-sidecar-controller-9dcfddfc7-hjbhd: pass
  Normal  PolicyApplied  40s (x2 over 40s)  kyverno-admission  Deployment wallarm-sidecar/wallarm-sidecar-wallarm-sidecar-postanalytics: pass
  Normal  PolicyApplied  35s                kyverno-admission  Pod wallarm-sidecar/wallarm-sidecar-wallarm-sidecar-postanalytics-554789546f-9cc8j: pass

The provided verify-wallarm-images policy has the failurePolicy: Fail parameter. This implies that if the signature authentication does not succeed, the entire chart deployment fails.