For AWS Signer customers wishing to verify signed container images at the time of deployment, there are various open-source solutions such as the following.
-
Deis Labs Gatekeeper and Ratify
– Use Gatekeeper as the admission controller and Ratify configured with an AWS Signer plug-in as a web hook for validating signatures. -
Kyverno
– A Kubernetes policy engine configured with a AWS Signer plugin for validating signatures.
Note
Before verifying container-image signatures, customers must configure the Notation trust store and trust policy as required by their selected admission controller.
