Trusted Resources


Trusted Resources is a feature which can be used to sign Tekton Resources and verify them. Details of design can be found at TEP–0091. This feature is under alpha version and support v1beta1 version of Task and Pipeline.

Verification failure will mark corresponding taskrun/pipelinerun as Failed status and stop the execution.

Note: KMS is not currently supported and will be supported in the following work.


Sign Resources

For Sign cli you may refer to experimental repo to sign the resources. We’re working to add sign and verify into Tekton Cli as a subcommand.

A signed task example:

kind: Task
  annotations: MEYCIQDM8WHQAn/yKJ6psTsa0BMjbI9IdguR+Zi6sPTVynxv6wIhAMy8JSETHP7A2Ncw7MyA7qp9eLsu/1cCKOjRL1mFXIKV
  creationTimestamp: null
  name: example-task
  namespace: tekton-trusted-resources
  - image: ubuntu
    name: echo

Enable Trusted Resources

Enable feature flag

Update the config map:

apiVersion: v1
kind: ConfigMap
  name: feature-flags
  namespace: tekton-pipelines
  labels: default tekton-pipelines
  resource-verification-mode: "enforce"

Note: resource-verification-mode needs to be set as enforce or warn to enable resource verification.

resource-verification-mode configurations:

  • enforce: Failing verification will mark the taskruns/pipelineruns as failed.
  • warn: Log warning but don’t fail the taskruns/pipelineruns.
  • skip: Directly skip the verification.

Or patch the new values:

kubectl patch configmap feature-flags -n tekton-pipelines -p='{"data":{"resource-verification-mode":"enforce"}}

Config key at configmap

Note that multiple keys reference should be separated by comma. If the resource can pass any key in the list, it will pass the verification.

We currently hardcode SHA256 as hashfunc for loading public keys as verifiers.

Public key files should be added into secret and mounted into controller volumes. To add keys into secret you may execute:

kubectl create secret generic verification-secrets \ \ \
  -n tekton-pipelines
apiVersion: v1
kind: ConfigMap
  name: config-trusted-resources
  namespace: tekton-pipelines
  labels: default tekton-pipelines
  publickeys: "/etc/verification-secrets/, /etc/verification-secrets/"