Support for Signed Images.
Red Hat announced last week that all of their images are signed with simple signing. Aaron Weitekamp follows up his article on Simple Signing, and explains that users can start to enforce signatures on their images.
But what does this have to do with CRI-O?
When we began building CRI-O we wanted to use existing libraries that could develop at a separate pace then CRI-O, sort of the Linux/Unix tradition or doing small components well separately and then joining them together. Well we use github.com/containers/image for the pulling and pushing of container images from a container registry. This library has full support for simple signing, therefore CRI-O has complete support out of the box to allow users to define which registries they trust and which signatures that they verify against.
They can even use tools like skopeo to sign their own images and push them to ANY registry that they want. Then they can setup CRI-O to enforce that kubernetes will only execute images that they trust.
CRI-O is like the old Prego commercial, Its in there.
