-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow users to reference own public key secrets (#18)
* docs: styling and spelling * feat: no vendors & read referenced pubkey secrets * feat: ability to reference own secret * chore: simplified dockerfile (no vendors) * chore: spelling correction * docs: enhanced readability and clarified some issues
- Loading branch information
Showing
5,837 changed files
with
695 additions
and
1,673,273 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,14 +1,12 @@ | ||
| # build stage | ||
| FROM golang:1.20 AS build-env | ||
| RUN mkdir -p /go/src/github.com/eumel8/cosignwebhook | ||
| WORKDIR /go/src/github.com/eumel8/cosignwebhook | ||
| COPY . . | ||
| WORKDIR /app | ||
| COPY . /app | ||
| RUN useradd -u 10001 webhook | ||
| RUN CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-extldflags "-static"' -o cosignwebhook | ||
|
|
||
| #FROM scratch | ||
| FROM alpine:latest | ||
| COPY --from=build-env /go/src/github.com/eumel8/cosignwebhook/cosignwebhook . | ||
| COPY --from=build-env /app . | ||
| COPY --from=build-env /etc/passwd /etc/passwd | ||
| USER webhook | ||
| ENTRYPOINT ["/cosignwebhook"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,23 +4,27 @@ Kubernetes Validation Admission Controller to verify Cosign Image signatures. | |
|
|
||
| <img src="cosignwebhook.png" alt="cosignwebhook" width="680"/> | ||
|
|
||
| Watch POD creating in deployments, looking for the first container image and a present RSA publik key to verify. | ||
| This webhook watches for pod creation in deployments and verifies the first container image it finds with an existing | ||
| RSA public key (if present). | ||
|
|
||
| # Installation with Helm | ||
|
|
||
| ```bash | ||
| helm -n cosignwebhook upgrade -i cosignwebhook oci://ghcr.io/eumel8/charts/cosignwebhook --versi | ||
| on 2.0.0 --create-namespace | ||
| on 3.0.0 --create-namespace | ||
| ``` | ||
|
|
||
| this installation has some advantages: | ||
|
|
||
| * auto generate TLS key pair | ||
| * setup ServiceMonitor and GrafanaDashboard | ||
| * automatic generation of TLS key pair | ||
| * automatic setup of ServiceMonitor and Grafana dashboards | ||
|
|
||
| If you use your own image, you'll have to sign it first. Don't forget to change the `cosign.scwebhook.key` value to your | ||
| public key, used to sign the image. | ||
|
|
||
| # Installation with manifest | ||
|
|
||
| As Cluster Admin create a namespace and install the Admission Controller: | ||
| As cluster admin, create a namespace and install the admission controller: | ||
|
|
||
| ```bash | ||
| kubectl create namespace cosignwebhook | ||
|
|
@@ -36,39 +40,64 @@ generate-certs.sh --service cosignwebhook --webhook cosignwebhook --namespace co | |
|
|
||
| # Usage | ||
|
|
||
| To use the webhook, you need to first sign your images with cosign, and then use **one** of the following validation | ||
| possibilities: | ||
|
|
||
| ## Public key as environment variable | ||
|
|
||
| Add your Cosign public key as env var in container spec of the first container: | ||
|
|
||
| ```yaml | ||
| env: | ||
| - name: COSIGNPUBKEY | ||
| value: | | ||
| - name: COSIGNPUBKEY | ||
| value: | | ||
| -----BEGIN PUBLIC KEY----- | ||
| MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEGOrnlJ1lFxAFTY2LF1vCuVHNZr9H | ||
| QryRDinn+JhPrDYR2wqCP+BUkeWja+RWrRdmskA0AffxBzaQrN/SwZI6fA== | ||
| -----END PUBLIC KEY----- | ||
| ``` | ||
| or create a secret and reference it in the deployment | ||
| ## Public key as secret reference | ||
| Instead of hardcoding the public key in the deployment, you can also use a secret reference. The key and the secret may | ||
| be named freely, as long as the secret contains a valid public key. | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| data: | ||
| COSIGNPUBKEY: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFS1BhWUhnZEVEQ3ltcGx5emlIdkJ5UjNxRkhZdgppaWxlMCtFMEtzVzFqWkhJa1p4UWN3aGsySjNqSm5VdTdmcjcrd05DeENkVEdYQmhBSTJveE1LbWx3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0tkind: Secret | ||
| COSIGNPUBKEY: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFS1BhWUhnZEVEQ3ltcGx5emlIdkJ5UjNxRkhZdgppaWxlMCtFMEtzVzFqWkhJa1p4UWN3aGsySjNqSm5VdTdmcjcrd05DeENkVEdYQmhBSTJveE1LbWx3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t | ||
| metadata: | ||
| name: cosignwebhook | ||
| type: Opaque | ||
| ``` | ||
| ```yaml | ||
| env: | ||
| - name: COSIGNPUBKEY | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: cosignwebhook | ||
| key: COSIGNPUBKEY | ||
| - name: COSIGNPUBKEY | ||
| valueFrom: | ||
| secretKeyRef: | ||
| name: cosignwebhook | ||
| key: COSIGNPUBKEY | ||
| ``` | ||
| Note: The secret MUST be named `cosignwebhook` and the data values MIST be names `COSIGNPUBKEY` | ||
| ## Public key as default secret for namespace | ||
| Create a default secret for all your images in a namespace, which the webhook will always search for, when validating | ||
| images in this namespace: | ||
| ```yaml | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| data: | ||
| COSIGNPUBKEY: LS0tLS1CRUdJTiBQVUJMSUMgS0VZLS0tLS0KTUZrd0V3WUhLb1pJemowQ0FRWUlLb1pJemowREFRY0RRZ0FFS1BhWUhnZEVEQ3ltcGx5emlIdkJ5UjNxRkhZdgppaWxlMCtFMEtzVzFqWkhJa1p4UWN3aGsySjNqSm5VdTdmcjcrd05DeENkVEdYQmhBSTJveE1LbWx3PT0KLS0tLS1FTkQgUFVCTElDIEtFWS0tLS0t | ||
| metadata: | ||
| name: cosignwebhook | ||
| type: Opaque | ||
| ``` | ||
| The name of the secret must be `cosignwebhook` and the key `COSIGNPUBKEY`. The value of `COSIGNPUBKEY` must match the | ||
| public key used to sign the image you're deploying. | ||
|
|
||
| # Test | ||
|
|
||
|
|
@@ -81,19 +110,21 @@ kubectl -n cosignwebhook apply -f manifests/demoapp.yaml | |
|
|
||
| # TODO | ||
|
|
||
| * Support private images [x] | ||
| * Support multiple container/keys | ||
| * [x] Support private images | ||
| * [x] Support multiple container/keys | ||
|
|
||
| ## local build | ||
| # Local build | ||
|
|
||
| ```bash | ||
| CGO_ENABLED=0 GOOS=linux go build -a -ldflags '-extldflags "-static"' -o cosignwebhook | ||
| ``` | ||
|
|
||
| ## Credits | ||
|
|
||
| Frank Kloeker [email protected] | ||
|
|
||
| Life is for sharing. If you have an issue with the code or want to improve it, feel free to open an issue or an pull request. | ||
| Life is for sharing. If you have an issue with the code or want to improve it, feel free to open an issue or an pull | ||
| request. | ||
|
|
||
| The Operator is inspired by [@pipo02mix](https://github.com/pipo02mix/grumpy), a good place | ||
| to learn fundamental things about Admission Controllert | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.