Trusted Signers

Panoptica can block workloads with unidentified signatures from running in protected clusters, as part of the built-in Restrict unidentified workloads Policy rule. You can define Trusted Signers, who can sign images with signatures that will be recognized and accepted by these rules.

Trusted signatures are applied per cluster. That is, you can designate on which clusters signatures from the signer will be accepted. All other clusters will regard images signed by this signer as unidentified.

You must enable image signature checking on the cluster.

Create a Trusted Signer

  1. In the CI/CD page, select the TRUSTED SIGNERS tab.
  2. Click New Trust Profile.
  1. In STEP 1, enter a name for the signer, as it will appear in Panoptica, then click NEXT.
  2. In STEP 2, enter a set of keys, each a name and key value, then click NEXT. Enter the public key, with a name.
  3. In STEP 3, select the clusters on which images signed by this Trusted Signer will be accepted.
  4. Click FINISH.

Enable image signature checking on clusters

You must enable image signature checking on your clusters in order to enforce the unidentified workload rule on them, and to recognize signatures from trusted signers.

  1. Navigate to the Deployments page, and select the CLUSTER CONTROLLERS tab.
  2. Select the cluster, and click the edit symbol on the right, to open the cluster definition for changes.
  3. Enable Image signing under Advanced Settings.
  1. Click FINISH to save the changes.

Create keys for image signing

Use cosign to generate a key pair.

Sign images with trusted signatures

Images can be signed in the CI stage with trusted signatures.

Use this command to sign an image

/bin/securecn_deployment_cli sign-image --image-name <registry/image> --signing-key ./cosign.key -v


  • <registry/image> is the image to be signed (example: akpsdocker/httpbin:sign-demo)
  • signing-key points to the key file, created above.