Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)

Overview

Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)

demo

In the beginning, I believe it is worth saying that this project is just a proof-of-concept project that shows people how they can use cosign and OPA (Open Policy Agent) together to implement the signing and verifying container image process together.

In most basic form, cosign is a container signing tool; it helps us to sign and verify container images by using the signature algorithm (ECDSA-P256) and payload format (Red Hat Simple Signing).

Dan Lorenc, who is one of the maintainers of the project, wrote an excellent article about what cosign is and the motivation behind it; you can follow the link to access it.

On the other hand side, the Open Policy Agent (OPA, pronounced "oh-pa") is an open-source, general-purpose policy engine that unifies policy enforcement across the stack. So, the motivation behind using this kind of policy engine is providing an easy way of enforcing organizational policies across the stack.

What is the motivation for combining both cosign and OPA?

Let's assume that we have to ensure only the images that have valid signatures can be deployed into production-grade Kubernetes clusters. So, to implement this kind of scenario is that we can use OPA's http.send built-in function to call some external service an HTTP server that exposes /verify endpoint and uses cosign under the hood to verify the signature of an image.

Tutorial

High-Level Overview

This is what we want to achieve at the end of the day:

Prerequisites

Demonstration

Create sample Rego Policy

  1. Define the package:
package signature
  1. Assign default value to the verified rule:
default verified = false
  1. Create the rule body:
verified {
    # read the `image` from the `input` that will be verified
    body := { "image": input.image }
    
    # hardcoded consts
    headers_json := { "Content-Type": "application/json" }
    cosignHTTPWrapperURL := "http://localhost:8080/verify"

    # send HTTP POST request to cosign-wrapper
    output := http.send({"method": "post", "url": cosignHTTPWrapperURL, "headers": headers_json, "body": body})
    
    # check if result verified
    output.body.verified
}

P.S: In this demo, we used the http, and ignored the authentication process. Better use the https.

Run the OPA Server with pre-loaded Rego policies

$ opa run --server rego

{"addrs":[":8181"],"diagnostic-addrs":[],"level":"info","msg":"Initializing server.","time":"2021-07-14T23:19:49+03:00"}

Generate Key-Pair using Cosign

$ cosign generate-key-pair

Test

input.json:

{ "input": { "image": "gcr.io/developerguy-311909/ubuntu:unsigned"} }
  • Test with unsigned image:
$ curl -X POST :8181/v1/data/signature/verified -H "Content-Type: application/json" -d "@input.json"
{"result":false}

# OPA Log
{"client_addr":"[::1]:62078","level":"info","msg":"Sent response.","req_id":2,"req_method":"POST","req_path":"/v1/data/signature/verified","resp_bytes":16,"resp_duration":2.107975,"resp_status":200,"time":"2021-07-14T23:22:47+03:00"}
  • Sign:
$ cosign sign -key cosign.key $IMAGE
Pushing signature to: ...
  • Test with signed image:
$ curl -X POST :8181/v1/data/signature/verified -H "Content-Type: application/json" -d "@input.json"
{"result":true}

Furthermore

You should notice that we worked on the local environment to make that happen; of course, there is an alternative way of implementing this kind of demonstration. You can do the same in the Kubernetes environment. To do that, you can use OPA Gatekeeper, which is a customizable AdmissionWebhook, instead of using just OPA in the bare minimum and running cosign-http-wrapper as a Pod.

Conclusion

You can implement a way of protecting Kubernetes clusters from an unsigned image by just using cosign and OPA seamlessly.

Owner
Batuhan Apaydın
I do mostly Go, Kubernetes, and cloud-native stuff ⛵️🐰🐳 CNCF Istanbul & Go Turkey Organizer 🧑🏻‍💻
Batuhan Apaydın
A curated list of awesome Kubernetes tools and resources.

Awesome Kubernetes Resources A curated list of awesome Kubernetes tools and resources. Inspired by awesome list and donnemartin/awesome-aws. The Fiery

Tom Huang 806 Jul 22, 2021
kubectl plugin for signing Kubernetes manifest YAML files with sigstore

k8s-manifest-sigstore kubectl plugin for signing Kubernetes manifest YAML files with sigstore ⚠️ Still under developement, not ready for production us

sigstore 9 Jul 14, 2021
GitHub中文排行榜,帮助你发现高分优秀中文项目、更高效地吸收国人的优秀经验成果;榜单每周更新一次,敬请关注!

榜单设立目的 ???? GitHub中文排行榜,帮助你发现高分优秀中文项目; 各位开发者伙伴可以更高效地吸收国人的优秀经验、成果; 中文项目只能满足阶段性的需求,想要有进一步提升,还请多花时间学习高分神级英文项目; 榜单设立范围 设立1个总榜(所有语言项目汇总排名)、18个分榜(单个语言项目排名);

kon9chunkit 36.7k Jul 25, 2021
A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Table of Contents Abstract Features Installation

Aqua Security 8k Jul 23, 2021
S3 Reverse Proxy with GET, PUT and DELETE methods and authentication (OpenID Connect and Basic Auth)

Menu Why ? Features Configuration Templates Open Policy Agent (OPA) API GET PUT DELETE AWS IAM Policy Grafana Dashboard Prometheus metrics Deployment

Havrileck Alexandre 51 Jul 20, 2021
Large-scale Kubernetes cluster diagnostic tool.

English | 简体中文 KubeProber What is KubeProber? KubeProber is a diagnostic tool designed for large-scale Kubernetes clusters. It is used to perform diag

Erda 18 Jul 20, 2021
Managing your Kubernetes clusters (including public, private, edge, etc) as easily as visiting the Internet

Clusternet Managing Your Clusters (including public, private, hybrid, edge, etc) as easily as Visiting the Internet. Clusternet (Cluster Internet) is

Clusternet 69 Jul 23, 2021
jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Website • Getting Started Guide • Documentation • Blog • Twitter • Slack jsPolicy - Easier & Faster Kubernetes Policies using JavaScript or TypeScript

Loft Labs 31 Jul 23, 2021
The cortex-operator is a project to manage the lifecycle of Cortex in Kubernetes.

cortex-operator The cortex-operator is a project to manage the lifecycle of Cortex in Kubernetes. Project status: alpha Not all planned features are c

Opstrace inc. 21 Jul 22, 2021
Web user interface and service agent for the monitoring and remote management of WinAFL.

WinAFL Pet WinAFL Pet is a web user interface dedicated to WinAFL remote management via an agent running as a system service on fuzzing machines. The

Gabor Seljan 44 Jul 7, 2021
A template repository to quickly scaffold a Kubewarden policy written with Go language

go-policy-template This is a template repository that can be used to to quickly scaffold a Kubewarden policy written with Go language. Don't forget to

Kubewarden 5 Jul 22, 2021
A command line tool for validating Kubernetes configs with rego

ccheck ccheck is a command line application for writing tests against configuration files and data using the rego query language. It's intended purpos

Brendan Ryan 64 Feb 22, 2021
A Golang based high performance, scalable and distributed workflow framework

Go-Flow A Golang based high performance, scalable and distributed workflow framework It allows to programmatically author distributed workflow as Dire

Vanu 394 Jul 22, 2021
Hubble - Network, Service & Security Observability for Kubernetes using eBPF

Network, Service & Security Observability for Kubernetes What is Hubble? Getting Started Features Service Dependency Graph Metrics & Monitoring Flow V

Cilium 1.5k Jul 26, 2021