🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

cosign-gatekeeper-provider

To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying its signatures

This repo is meant for testing Gatekeeper external data feature. Do not use for production.

Installation

  • Deploy Gatekeeper with external data enabled (--enable-external-data)
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper/gatekeeper  \
    --name-template=gatekeeper \
    --namespace gatekeeper-system --create-namespace \
    --set enableExternalData=true \
    --set controllerManager.dnsPolicy=ClusterFirst,audit.dnsPolicy=ClusterFirst

Let's install the cosign-gatekeeper-provider:

kubectl apply -f manifest

  • kubectl apply -f manifest/provider.yaml

    • Update url if it's not http://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090 (default)

  • kubectl apply -f policy/template.yaml

  • kubectl apply -f policy/constraint.yaml

Verification

To test this successfully, we should sign one of our images with cosign tool. So, let's do this first:

Generate key pair

$ cosign generate-key-pair

We have two files under policy/examples, one for valid manifest that contains signed image, the other is invalid. To do the same you should sign your image as I did:

$ crane copy alpine:latest devopps/alpine:signed
$ crane copy alpine:3.14 devopps/alpine:unsigned
$ cosign sign --key cosign.key devopps/signed:latest

So, once you are ready, let's apply these manifests one by one. It should allow deploying Pod for valid.yaml, and deny for the other one.

Owner
sigstore
software supply chain security
sigstore
Comments
  • Security Policy violation Branch Protection

    Security Policy violation Branch Protection

    This issue was automatically created by Allstar.

    Security Policy Violation Dismiss stale reviews not configured for branch main


    This issue will auto resolve when the policy is in compliance.

    Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

  • Additional verification methods

    Additional verification methods

    Description

    Hi again! Thanks for the really awesome job you are doing!

    I'm looking into using this together with Azure Key Vault and Azure Container Registry. In my case, each namespace will have a separate key in Key Vault and the identity used by the provider will have verify access to each key.

    My idea is to add some config parameters to the provider to be able to configure how the verification is done and configured, but before starting anything I'd like to understand what plans you already have to make sure I align with them in the best possible way.

    Would you like some kind of formal proposal from me or something like that? Or maybe you don't want to provide those kinds of features with the provider and only use it as an example?

    Keep up the great work! 🚀👍🥇

  • add mage to run the build/test jobs and setup initial gh actions

    add mage to run the build/test jobs and setup initial gh actions

    Summary

    • fix go module name
    • add initial goreleaser (will add the sign and docker files)
    • setup mage to run the build/test commands
    • setup golangci-lint

    Ticket Link

    Fixes

    Release Note

    add mage to run the build/test jobs and setup initial gh actions 
    
  • Fix link and formatting in README

    Fix link and formatting in README

    Summary

    Link was missing protocol, which led it to use this repo as base path for the link, rendering it invalid. kubectl command formatting to make it looks nicer.

    Ticket Link

    Fixes https://github.com/sigstore/cosign-gatekeeper-provider/issues/12

    Release Note

    NONE
    
  • Broken link in README

    Broken link in README

    Description The first cosign link in the README.md leads to: https://github.com/sigstore/cosign-gatekeeper-provider/blob/main/github.com/sigstore/cosign, however this is a 404.

    I assume the link should go to: https://github.com/sigstore/cosign ?

  • use panic-free logic

    use panic-free logic

    Signed-off-by: Furkan [email protected]

    Related issue: https://github.com/sigstore/cosign-gatekeeper-provider/issues/16 (This is not a fix PR)

    Bump cosign to use panic free fulcio during getting root certs: https://github.com/sigstore/cosign/pull/1965

    PTAL @developer-guy

    Summary

    Ticket Link

    Fixes

    Release Note

    * Bump cosign to v1.9.1
    * Use panic-free logic
    * Get root certs during initialization
    
  • Not able to verify container image in my k8s cluster

    Not able to verify container image in my k8s cluster

    Hi Team

    I would like to verify my container images before deploying to pod in my k8s cluster. I am trying to achieve this with cosign-gatekeeper-provider i.e https://github.com/sigstore/cosign-gatekeeper-provider I have signed the image using cosign but I am not able to verify images when I try to deploy pod using manifest in my cluster.

    I am getting following error:- error when creating “policy/examples/valid.yaml”: admission webhook “validation.gatekeeper.sh” denied the request: [cosign-gatekeeper-provider] invalid response: {“errors”: [], “responses”: [], “status_code”: 200, “system_error”: “VerifyImageSignatures: one of verifier or root certs is required”}

    I am able to verify container images using commands on my local command line i.e cosign verify .(But not inside k8s cluster). Looks like keys/cert information are not propagated to cluster

    Anything else you would like to add: I am not sure whether I should put this issue here or on cosign.

    Environment:

    Gatekeeper version:3.8.1

  • imagePullSecret support

    imagePullSecret support

    Looking at the examples, there is not imagePullSecret support currently? This is needed for things such as gitlab repo's where each project is protected.

  • Cache KMS and registry credentials

    Cache KMS and registry credentials

    Description

    Right now, if I'm not mistaken, new credentials will be configured for each time we reach out to the KMS or registry.

    To make sure that we don't get rate limited, these credentials should be cached.

  • Cache for verification results

    Cache for verification results

    Description

    One issue that may arise as we start using this provider in production is that if the provider can't reach the registry or KMS it will fail. It would be like if we used imagePullPolicy: true.

    Results (at least successful) should be possible to cache and have a TTL.

    Maybe a CRD could be used to store the cache results as well?

go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

Feb 5, 2022
Keyless Git signing with cosign!

THIS PROJECT HAS MOVED! See https://github.com/sigstore/gitsign ?? smimecosign Keyless Git signing with cosign! This is heavily inspired by https://gi

May 12, 2022
A tool to check whether docker images exist in the remote registry.

Check Docker Image A tool to check whether docker images exist in the remote registry. Build project: go build -o check-image . Example usage: REGISTR

May 26, 2022
runtime - an abstraction library on top of the Open Policy Agent (OPA)

runtime - an abstraction library on top of the Open Policy Agent (OPA) Introduction The "runtime" project is a library that sits on top of OPA. The go

Jun 10, 2022
A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

opa-lambda-extension-plugin A custom plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension. To learn more about how Lambda Ex

May 10, 2022
Cmsnr - cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

cmsnr Description cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

Jan 13, 2022
Generic inquiry tool to OPA server for CI process, such as GitHub Actions

opaq opaq is a generic inquiry tool to OPA server. A major purpose of this tool is for inquiry in GitHub Actions. Features Data formatting: OPA server

Jan 20, 2022
Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install

Operator Permissions Advisor is a CLI tool that will take a catalog image and statically parse it to determine what permissions an Operator will request of OLM during an install. The permissions are aggregated from the following sources:

Apr 22, 2022
Application open new tab in chrome when your favourite youtuber add new video.

youtube-opener This application open new tab in Chrome when your favourite youtuber add new video. It checks channel every one minute. How to run go r

Jan 16, 2022
An image server which automatically optimize non webp and avif images to webp and avif images

go-imageserver go-imageserver is an image server which automatically optimize no

Apr 18, 2022
The Elastalert Operator is an implementation of a Kubernetes Operator, to easily integrate elastalert with gitops.

Elastalert Operator for Kubernetes The Elastalert Operator is an implementation of a Kubernetes Operator. Getting started Firstly, learn How to use el

Apr 13, 2022
Plugin for Helm to integrate the sigstore ecosystem

helm-sigstore Plugin for Helm to integrate the sigstore ecosystem. Search, upload and verify signed Helm Charts in the Rekor Transparency Log. Info he

May 16, 2022
💧 Visual Data Preparation (VDP) is an open-source tool to seamlessly integrate Vision AI with the modern data stack
💧 Visual Data Preparation (VDP) is an open-source tool to seamlessly integrate Vision AI with the modern data stack

Website | Community | Blog Get Early Access Visual Data Preparation (VDP) is an open-source tool to streamline the end-to-end visual data processing p

Jun 28, 2022
A Go library for the Linux Landlock sandboxing feature

Go landlock library The Go landlock library provides an interface to Linux 5.13's Landlock kernel sandboxing features. The library provides access to

Jul 1, 2022
An example of using Litestream's live read replication feature.

Litestream Read Replica Example This repository is an example of how to setup and deploy a multi-node SQLite database using Litestream's live read rep

Jun 28, 2022
Stackie enables developers to configure their local environment/toolchain with ease.

Stackie enables developers to configure their local environment/toolchain with ease. Made for Pulumi CLI, Google Cloud Platform (gcloud), and Amazon Web Services (aws-cli).

Sep 10, 2021
ControllerMesh is a solution that helps developers manage their controllers/operators better.
ControllerMesh is a solution that helps developers manage their controllers/operators better.

ControllerMesh ControllerMesh is a solution that helps developers manage their controllers/operators better. Key Features Canary update: the controlle

Jun 1, 2022
Watchtower for Git: automatically keep local Git repositories up to date with their remotes

CrowsNest Watchtower for Git: automatically keep local Git repositories up to date with their remotes. Configuration Flags --run-once or -r: Normally

May 26, 2022
The GCP Enterprise Cloud Cost Optimiser, or gecco for short, helps teams optimise their cloud project costs.
The GCP Enterprise Cloud Cost Optimiser, or gecco for short, helps teams optimise their cloud project costs.

gecco helps teams optimise their cloud resource costs. Locate abandoned, idle, and inefficiently configured resources quickly. gecco helps teams build

Jan 9, 2022