How is possible sign the image on Azure Container Registry.

Cleber Ramos 60 Reputation points
2023-09-08T08:54:10.42+00:00

How is possible sign the image in azure container registry, I ever receive error 401, not authorized, however I'm owner and "acr signer" of ACR.

After sign, how is possible to guarantee that K8S just receive the image signed and that signed has the correct signature with specific key.

I tried looking for in all documentation, however any one isn't clear.

Azure Container Registry
Azure Container Registry
An Azure service that provides a registry of Docker and Open Container Initiative images.
445 questions
0 comments No comments
{count} votes

Accepted answer
  1. vipullag-MSFT 26,211 Reputation points
    2023-09-19T04:39:29.59+00:00

    Hello Cleber Ramos
    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    To sign an image in Azure Container Registry (ACR), you need to use the az acr pack build command. This command builds and signs an image using the specified Dockerfile and a signing key.

    Here is an example command:
    az acr pack build --image myimage:v1 --registry myregistry --file Dockerfile --sign

    This command builds the image using the Dockerfile, tags it as myimage:v1, and signs it using the default signing key. You can also specify a different signing key using the --signing-key option.

    To verify that the image has been signed correctly, you can use the az acr repository show-manifests command. This command shows the manifests for a repository, including the signatures.

    Here is an example command:

    az acr repository show-manifests --name myregistry --repository myimage --output table

    This command shows the manifests for the myimage repository in the myregistry registry, and outputs the results in a table format. The output includes the digest of the signed image, which you can use to verify the signature.

    To ensure that Kubernetes only pulls the signed image, you can use an imagePullPolicy of "Always" in your Kubernetes deployment. This ensures that Kubernetes always pulls the latest version of the image, including any new signatures. You can also use Kubernetes admission controllers to enforce image signing policies.

    Hope this helps.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. JimmySalian-2011 42,166 Reputation points
    2023-09-08T10:58:15.1033333+00:00

    Hi Cleber,

    Did you check this article - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-tutorial-sign-build-push it might help you to go through the process.

    Also check the troubleshooting steps over here - https://learn.microsoft.com/en-us/azure/container-registry/container-registry-check-health

    Hope this helps.

    JS

    ==

    Please Accept the answer if the information helped you. This will help us and others in the community as well.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.