Hello Cleber Ramos
Welcome to Microsoft Q&A Platform, thanks for posting your query here.
To sign an image in Azure Container Registry (ACR), you need to use the az acr pack build
command. This command builds and signs an image using the specified Dockerfile and a signing key.
Here is an example command:
az acr pack build --image myimage:v1 --registry myregistry --file Dockerfile --sign
This command builds the image using the Dockerfile, tags it as myimage:v1
, and signs it using the default signing key. You can also specify a different signing key using the --signing-key
option.
To verify that the image has been signed correctly, you can use the az acr repository show-manifests
command. This command shows the manifests for a repository, including the signatures.
Here is an example command:
az acr repository show-manifests --name myregistry --repository myimage --output table
This command shows the manifests for the myimage
repository in the myregistry
registry, and outputs the results in a table format. The output includes the digest of the signed image, which you can use to verify the signature.
To ensure that Kubernetes only pulls the signed image, you can use an imagePullPolicy of "Always" in your Kubernetes deployment. This ensures that Kubernetes always pulls the latest version of the image, including any new signatures. You can also use Kubernetes admission controllers to enforce image signing policies.
Hope this helps.