Container Image Signatures in Kubernetes

Philipp Belitz
SSE Blog
Published in
10 min readAug 7, 2020

Container image signatures are a rarely implemented security feature, even though images’ contents are ever changing and hard to get a grasp of, making it easy for attackers to hide malicious content in them. A main reason for that is that the most popular container orchestrator Kubernetes has no native support for image signatures or their verification. Connaisseur is a Kubernetes admission controller that tries to change that, by allowing only signed images into a cluster and ensure only trusted and unmodified content is deployed, thus amp up your security.


  • Docker Content Trust (DCT) is a way to sign your Docker images
  • It uses Notary to store signing data
  • Kubernetes doesn’t support DCT natively
  • Connaisseur (GitHub) is a Kubernetes admission controller that intercepts requests sent to the cluster
  • It verifies the signatures of all image references found in the requests
  • It denies any requests trying to deploy unsigned images
Photo by Scott Graham on Unsplash

Digital signatures are a well-known approach for maintaining the integrity of any data transferred all around the web. Whether it’s for signing emails, using TLS certificates or app signatures for popular stores such as Google Play or Apple’s App Store. It’s an overall appropriate solution that provides a lot of trust and security, in a world where your credentials are at a constant risk of being stolen and your machine is at a constant risk for abuse, such as bitcoin mining.

With Docker and Kubernetes, a new landscape has been opened up in this world, full of containerized applications in the form of Docker images, all ready to be pulled from your favorite image registry. But when pulling these images, how sure can you be of their contents? Are there no malicious services hidden in there somewhere? Docker images change all the time and that freshly pulled nginx image could already look a bit different, updated with the latest security patch, or maybe updated with something else, more sketchy…? It’s hard to say, not only for images coming from a public registry, but also for the ones you built yourself. You would have to go into the image and scan for this “malicious content”, how ever that may look like.

Philipp Belitz
SSE Blog

IT Security Engineer at Secure Systems Engineering GmbH. Focused mostly on Kubernetes and Docker Security. Love cycling and playing MtG.