GNU/Linux ◆ xterm-256color ◆ bash 132 views

Use Ratify to verify Cosign signatures associated with container images

In this demo, Ratify is installed on a Kubernetes cluster with Gatekeeper. A policy is configured requiring all images be signed with a valid cosign signature. For this demo, there is a registry with images belonging to different namespaces, ‘dev’ & ‘test’. Each namespace uses a different signing key, and thus different public keys must be used for verification of each namespace. Ratify has a Cosign Verifier configured with two trust policies: one that associates the dev key with any images from the ‘dev’ namespace and one that associates the test key with any images from the ‘test’ namespace.

Attempting to deploy images from each registry namespace will successfully validate signature verification.