generated from coulomb/repo-seed
44 lines
1.1 KiB
Markdown
44 lines
1.1 KiB
Markdown
# Pattern: Signed Container Images
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: artifact-store, Railiance platform, product repos
|
|
Genesis family: Supply chain
|
|
|
|
## Problem
|
|
|
|
Container images can be replaced, confused, or deployed from untrusted
|
|
origins unless image identity is cryptographically verifiable.
|
|
|
|
## Context
|
|
|
|
Use this pattern for production container images, platform controllers,
|
|
tenant workloads, and deployment admission.
|
|
|
|
## Forces
|
|
|
|
- Tags are mutable unless controlled.
|
|
- Signatures need trusted keys or identities.
|
|
- Admission must verify the image that actually runs.
|
|
- Rollbacks need signed artifacts too.
|
|
|
|
## Solution
|
|
|
|
Sign container image digests after trusted builds and require production
|
|
deployments to reference images whose signatures and provenance satisfy
|
|
policy.
|
|
|
|
## Verification
|
|
|
|
- Images are signed by trusted build or release identities.
|
|
- Admission rejects unsigned or untrusted images.
|
|
- Deployments pin or verify immutable digests.
|
|
- Signature rotation and key compromise processes exist.
|
|
|
|
## Related Patterns
|
|
|
|
- Signed Image Admission.
|
|
- SLSA Build Provenance.
|
|
- SBOM-per-Release.
|
|
- Quarantined Build Runner.
|