kube-notary is a monitoring tool for Continuous Verification (CV) via CodeNotary. The idea behind CV is to continuously monitor your cluster at runtime and be notified when unknown or untrusted container images are running.
Once kube-notary is installed within your cluster, all pods are checked every minute (interval and other settings can be configured). For each of the running containers in each pod,
kube-notary resolves the
ImageID of the container’s image to the actual image’s hash and finally looks up the hash’s signature in the CodeNotary’s blockchain.
Furthermore, kube-notary provides a built-in exporter for sending verification metrics to Prometheus, which can then that can be easily visualized with the provided grafana dashboard.
Images you trust can be signed by using the CodeNotary vcn CLI tool.