Netdata Cloud On-Prem Image Signature Verification
All your on-premises images stored in the container registry are digitally signed, providing a robust way to verify their authenticity and integrity. This also applies to your Helm charts, because they are distributed as OCI artifacts.
How Image Signing Works
AWS ECR stores all your on-premises images and uses AWS Signer with Notary v2 support, a secure image signing and verification standard. Notary v2 offers several verification levels - we strongly recommend you use strict verification for maximum security. This level ensures that only images signed by trusted entities and not subsequently revoked are accepted in your environment.
Two Ways to Verify Your Images
You can verify your image signatures using either method:
| Method | Best For | How It Works |
|---|---|---|
| Local Verification | Manual verification and testing | You use Notary CLI with AWS Signer plugin on your machine |
| Kubernetes Admission Controller | Automated cluster-level security | Prevents unauthorized images from being deployed to your cluster automatically |
Trust and Identity Requirements
Your verification process relies on the AWS root certificate, which you can download from the AWS Signer Developer Guide.
Your Trusted Identity ARN: arn:aws:signer:us-east-1:362923047827:/signing-profiles/onprem
Local Verification Step-by-Step
What You'll Need
Before you start, ensure you have:
- Notary CLI installed and configured on your system
- AWS Signer plugin installed
- Your AWS credentials with ECR access
See the AWS Signer Developer Guide for installation details.
Your Verification Process
Step 1: Verify Your Plugin Installation
Check that you have the AWS Signer plugin installed:
notation plugin list
You should see com.amazonaws.signer.notation.plugin in your list.
Step 2: Configure Your AWS Credentials
Set your AWS credentials:
export AWS_ACCESS_KEY_ID=<your_access_key>
export AWS_SECRET_ACCESS_KEY=<your_secret_key>
Step 3: Login to Your ECR
Authenticate with your ECR registry:
aws ecr get-login-password --region us-east-1 | notation login --username AWS --password-stdin 362923047827.dkr.ecr.us-east-1.amazonaws.com
Step 4: Verify Your Root Certificate
Ensure you have the AWS root certificate installed:
notation cert list
The AWS root certificate should appear in your list. If you don't see it, download it from the AWS Signer Developer Guide.
Step 5: Check Your Policy Configuration
View your current trust policy:
notation policy show
Your policy should look like this:
{
"version": "1.0",
"trustPolicies": [
{
"name": "test",
"registryScopes": ["*"],
"signatureVerification": {
"level": "strict"
},
"trustStores": ["signingAuthority:aws-signer-ts"],
"trustedIdentities": [
"arn:aws:signer:us-east-1:362923047827:/signing-profiles/onprem"
]
}
]
}
Step 6: Verify Your Image Signature
Verify a specific image in your registry:
notation verify 362923047827.dkr.ecr.us-east-1.amazonaws.com/onprem-cloud-environment-service@sha256:4117f06045b5b94a58ded40238fa7e9c2f228c6e0fac45dc78732052e3f48d1b --plugin-config aws-region=us-east-1
Your Kubernetes Admission Controller Setup
For automated verification in your Kubernetes deployments, you can configure the AWS Signer admission controller to prevent unauthorized images from being deployed to your cluster automatically.
See the AWS Signer Developer Guide for detailed configuration steps for your environment.
Security Best Practice: Use strict verification level and regularly verify your images, especially before you deploy updates to your production environments.
Security Best Practices
Using signature verification ensures the integrity and authenticity of container images, strengthening your overall security posture. It is recommended to use this mechanism in a way that deployment without signature verification is impossible to any environment, including non-production ones.
Do you have any feedback for this page? If so, you can open a new issue on our netdata/learn repository.