Stop Trusting Container Registries, Verify Image Signatures

InfluxDB Cloud is a cloud-native, serverless platform that supports auto-scaling and various workloads, built with Kubernetes-based microservices. To address security concerns, InfluxData implemented a container signing solution to verify the authenticity and integrity of container images. The solution uses digital signatures created at image push time, stored in HashiCorp Vault, and made publicly available for verification by clusters consuming the images. This approach enables detection of tampering and rotation of key pairs to minimize the impact of security incidents. InfluxData's implementation leverages SigStore policy-controller and cosign tools, and is designed to be scalable, secure, and easy to manage, with a focus on minimizing additional burden for users.