🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

cosign-gatekeeper-provider

To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying its signatures

This repo is meant for testing Gatekeeper external data feature. Do not use for production.

Installation

  • Deploy Gatekeeper with external data enabled (--enable-external-data)
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper/gatekeeper  \
    --name-template=gatekeeper \
    --namespace gatekeeper-system --create-namespace \
    --set enableExternalData=true \
    --set controllerManager.dnsPolicy=ClusterFirst,audit.dnsPolicy=ClusterFirst

Let's install the cosign-gatekeeper-provider:

kubectl apply -f manifest

  • kubectl apply -f manifest/provider.yaml

    • Update url if it's not http://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090 (default)

  • kubectl apply -f policy/template.yaml

  • kubectl apply -f policy/constraint.yaml

Verification

To test this successfully, we should sign one of our images with cosign tool. So, let's do this first:

Generate key pair

$ cosign generate-key-pair

We have two files under policy/examples, one for valid manifest that contains signed image, the other is invalid. To do the same you should sign your image as I did:

$ crane copy alpine:latest devopps/alpine:signed
$ crane copy alpine:3.14 devopps/alpine:unsigned
$ cosign sign --key cosign.key devopps/signed:latest

So, once you are ready, let's apply these manifests one by one. It should allow deploying Pod for valid.yaml, and deny for the other one.

Owner
Batuhan Apaydın
I do mostly #Go, #Kubernetes, and cloud-native stuff 🐱 🐳 ⛵️ Organizer at @goturkiye_ & Community Rel. at @devopstr 🧑🏻‍💻✍️
Batuhan Apaydın
https://github.com/developer-guy/cosign-gatekeeper-provider
Comments
  • Security Policy violation Branch Protection

    Security Policy violation Branch Protection

    This issue was automatically created by Allstar.

    Security Policy Violation Dismiss stale reviews not configured for branch main

    This issue will auto resolve when the policy is in compliance.

    Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

  • Additional verification methods

    Additional verification methods

    Description

    Hi again! Thanks for the really awesome job you are doing!

    I'm looking into using this together with Azure Key Vault and Azure Container Registry. In my case, each namespace will have a separate key in Key Vault and the identity used by the provider will have verify access to each key.

    My idea is to add some config parameters to the provider to be able to configure how the verification is done and configured, but before starting anything I'd like to understand what plans you already have to make sure I align with them in the best possible way.

    Would you like some kind of formal proposal from me or something like that? Or maybe you don't want to provide those kinds of features with the provider and only use it as an example?

    Keep up the great work! 🚀👍🥇

  • add mage to run the build/test jobs and setup initial gh actions

    add mage to run the build/test jobs and setup initial gh actions

    Summary

    • fix go module name
    • add initial goreleaser (will add the sign and docker files)
    • setup mage to run the build/test commands
    • setup golangci-lint

    Ticket Link

    Fixes

    Release Note

    add mage to run the build/test jobs and setup initial gh actions
  • Fix link and formatting in README

    Fix link and formatting in README

    Summary

    Link was missing protocol, which led it to use this repo as base path for the link, rendering it invalid. kubectl command formatting to make it looks nicer.

    Ticket Link

    Fixes https://github.com/sigstore/cosign-gatekeeper-provider/issues/12

    Release Note

    NONE
  • Broken link in README

    Broken link in README

    Description The first cosign link in the README.md leads to: https://github.com/sigstore/cosign-gatekeeper-provider/blob/main/github.com/sigstore/cosign, however this is a 404.

    I assume the link should go to: https://github.com/sigstore/cosign ?

  • How to provide a cosign public key for verification?

    How to provide a cosign public key for verification?

    Question Dear community, could somebody guide me how to provide the cosign public key for image verification for cosign-gatekeeper-provider? My public key is available with http schema. (http url file)

    As I can see from the source code, the only available method is keyless: https://github.com/sigstore/cosign-gatekeeper-provider/blob/main/provider.go#L85

    But I might miss something, that's why gentle requesting for help.

    Thank you, Pasha.

  • Verifying images using a generated public key

    Verifying images using a generated public key

    Description

    Hi!

    We'd like to have an opportunity to pass our own Cosign public key generated with cosign generate-key-pair to the provider. To use it the same way as 'cosign verify --key ...’

    Expectations:

    1. Generate a key pair using cosign generate-key-pair
    2. Sign an image
    3. Create a k8s secret/configmap for cosign.pub
    4. Pass the secret/configmap to cosign-gatekeeper-provider deployment
    5. Verify the images using the public key
  • use panic-free logic

    use panic-free logic

    Signed-off-by: Furkan [email protected]

    Related issue: https://github.com/sigstore/cosign-gatekeeper-provider/issues/16 (This is not a fix PR)

    Bump cosign to use panic free fulcio during getting root certs: https://github.com/sigstore/cosign/pull/1965

    PTAL @developer-guy

    Summary

    Ticket Link

    Fixes

    Release Note

    * Bump cosign to v1.9.1
* Use panic-free logic
* Get root certs during initialization
  • Not able to verify container image in my k8s cluster

    Not able to verify container image in my k8s cluster

    Hi Team

    I would like to verify my container images before deploying to pod in my k8s cluster. I am trying to achieve this with cosign-gatekeeper-provider i.e https://github.com/sigstore/cosign-gatekeeper-provider I have signed the image using cosign but I am not able to verify images when I try to deploy pod using manifest in my cluster.

    I am getting following error:- error when creating “policy/examples/valid.yaml”: admission webhook “validation.gatekeeper.sh” denied the request: [cosign-gatekeeper-provider] invalid response: {“errors”: [], “responses”: [], “status_code”: 200, “system_error”: “VerifyImageSignatures: one of verifier or root certs is required”}

    I am able to verify container images using commands on my local command line i.e cosign verify .(But not inside k8s cluster). Looks like keys/cert information are not propagated to cluster

    Anything else you would like to add: I am not sure whether I should put this issue here or on cosign.

    Environment:

    Gatekeeper version:3.8.1

  • imagePullSecret support

    imagePullSecret support

    Looking at the examples, there is not imagePullSecret support currently? This is needed for things such as gitlab repo's where each project is protected.

  • Cache KMS and registry credentials

    Cache KMS and registry credentials

    Description

    Right now, if I'm not mistaken, new credentials will be configured for each time we reach out to the KMS or registry.

    To make sure that we don't get rate limited, these credentials should be cached.

Related tags
Security opa gatekeeper keyless cosign sigstore rekor fulcio
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.
 go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

Nov 17, 2022
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

Dec 30, 2022
Go library to create/verify armored SSH signatures

Armored ssh signatures in go Package sshsig implements signing/verifying armored SSH signatures. You can use this package to sign data and verify sign

Sep 18, 2022
Redactionschemes - Golang Library for Redactable Signatures

Golang Library for Redactable Signatures ⚠️ WARNING ⚠️ THIS LIBRARY HAS NOT BEEN

Feb 17, 2022
A RSA signing server model, allows to create valid signed certificates that cant be modified
A RSA signing server model, allows to create valid signed certificates that cant be modified

Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I

Nov 15, 2021
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
 Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

Sep 30, 2022
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner
 Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

Jan 2, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.
 mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

Dec 14, 2022
Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.
 Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.

Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. Drift

Dec 29, 2022
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228
 Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Nov 2, 2022
Integrate Snyk into Harbor

Harbor Snyk Scanner Harbor Snyk Scanner is a scanner adaptor for Harbor to integrate scan results from Snyk. The project is currently work in progress

Sep 6, 2022
A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.
 A source code analyzer built for surfacing features of interest and other characteristics to answer the question 'What's in the code?' quickly using static analysis with a json based rules engine. Ideal for scanning components before use or detecting feature level changes.

Introduction Microsoft Application Inspector is a software source code characterization tool that helps identify coding features of first or third par

Dec 28, 2022
Friends don't let friends leak secrets on their terminal window
 Friends don't let friends leak secrets on their terminal window

senv - safer env Friends don't let friends leak secrets in terminal windows. ?? Print your environment to the terminal without worry.

Oct 26, 2022
Gorsair hacks its way into remote docker containers that expose their APIs
 Gorsair hacks its way into remote docker containers that expose their APIs

Gorsair Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access

Dec 26, 2022
Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.
 Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.

?? security-slacker Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own e

Nov 29, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Jan 7, 2023
A template for creating new Golang + Docker + Canonical Domain + Badges + Renovate + Golangci + Goreleaser + CircleCI + ...
 A template for creating new Golang + Docker + Canonical Domain + Badges + Renovate + Golangci + Goreleaser + CircleCI + ...

golang-repo-template ?? golang-repo-template Usage foo@bar:~$ golang-repo-template hello world _

Dec 29, 2022
Libdns-exoscale - A template for developers to use when creating new libdns provider implementations

DEVELOPER INSTRUCTIONS: This repo is a template for developers to use when creat

Jan 18, 2022
FunctionStomping (using golang) : A new shellcode injection technique.
 FunctionStomping (using golang) : A new shellcode injection technique.

goFunctionStomping FunctionStomping using golang Description This is a brand-new technique for shellcode injection to evade AVs and EDRs. This techniq

Oct 12, 2022