Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)

Overview

Sign Container Images with cosign and Verify signature by using Open Policy Agent (OPA)

demo

In the beginning, I believe it is worth saying that this project is just a proof-of-concept project that shows people how they can use cosign and OPA (Open Policy Agent) together to implement the signing and verifying container image process together.

In most basic form, cosign is a container signing tool; it helps us to sign and verify container images by using the signature algorithm (ECDSA-P256) and payload format (Red Hat Simple Signing).

Dan Lorenc, who is one of the maintainers of the project, wrote an excellent article about what cosign is and the motivation behind it; you can follow the link to access it.

On the other hand side, the Open Policy Agent (OPA, pronounced "oh-pa") is an open-source, general-purpose policy engine that unifies policy enforcement across the stack. So, the motivation behind using this kind of policy engine is providing an easy way of enforcing organizational policies across the stack.

What is the motivation for combining both cosign and OPA?

Let's assume that we have to ensure only the images that have valid signatures can be deployed into production-grade Kubernetes clusters. So, to implement this kind of scenario is that we can use OPA's http.send built-in function to call some external service an HTTP server that exposes /verify endpoint and uses cosign under the hood to verify the signature of an image.

Tutorial

High-Level Overview

This is what we want to achieve at the end of the day:

Prerequisites

Demonstration

Create sample Rego Policy

  1. Define the package:
package signature
  1. Assign default value to the verified rule:
default verified = false
  1. Create the rule body:
verified {
    # read the `image` from the `input` that will be verified
    body := { "image": input.image }
    
    # hardcoded consts
    headers_json := { "Content-Type": "application/json" }
    cosignHTTPWrapperURL := "http://localhost:8080/verify"

    # send HTTP POST request to cosign-wrapper
    output := http.send({"method": "post", "url": cosignHTTPWrapperURL, "headers": headers_json, "body": body})
    
    # check if result verified
    output.body.verified
}

P.S: In this demo, we used the http, and ignored the authentication process. Better use the https.

Run the OPA Server with pre-loaded Rego policies

$ opa run --server rego

{"addrs":[":8181"],"diagnostic-addrs":[],"level":"info","msg":"Initializing server.","time":"2021-07-14T23:19:49+03:00"}

Generate Key-Pair using Cosign

$ cosign generate-key-pair

Test

input.json:

{ "input": { "image": "gcr.io/developerguy-311909/ubuntu:unsigned"} }
  • Test with unsigned image:
$ curl -X POST :8181/v1/data/signature/verified -H "Content-Type: application/json" -d "@input.json"
{"result":false}

# OPA Log
{"client_addr":"[::1]:62078","level":"info","msg":"Sent response.","req_id":2,"req_method":"POST","req_path":"/v1/data/signature/verified","resp_bytes":16,"resp_duration":2.107975,"resp_status":200,"time":"2021-07-14T23:22:47+03:00"}
  • Sign:
$ cosign sign -key cosign.key $IMAGE
Pushing signature to: ...
  • Test with signed image:
$ curl -X POST :8181/v1/data/signature/verified -H "Content-Type: application/json" -d "@input.json"
{"result":true}

Furthermore

You should notice that we worked on the local environment to make that happen; of course, there is an alternative way of implementing this kind of demonstration. You can do the same in the Kubernetes environment. To do that, you can use OPA Gatekeeper, which is a customizable AdmissionWebhook, instead of using just OPA in the bare minimum and running cosign-http-wrapper as a Pod.

Conclusion

You can implement a way of protecting Kubernetes clusters from an unsigned image by just using cosign and OPA seamlessly.

You might also like...
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)
Integrated ssh-agent for windows. (pageant compatible. openSSH ssh-agent etc ..)

OmniSSHAgent About The chaotic windows ssh-agent has been integrated into one program. Chaos Map of SSH-Agent on Windows There are several different c

Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses.

Hexa Policy Orchestrator Hexa is the open-source, standards-based policy orchestration software for multi-cloud and hybrid businesses. The Hexa projec

Amazon Elastic Container Service Agent
Amazon Elastic Container Service Agent

Amazon ECS Container Agent The Amazon ECS Container Agent is a component of Amazon Elastic Container Service (Amazon ECS) and is responsible for manag

signature-based file format identification
signature-based file format identification

Siegfried Siegfried is a signature-based file format identification tool, implementing: the National Archives UK's PRONOM file format signatures freed

An image server which automatically optimize non webp and avif images to webp and avif images

go-imageserver go-imageserver is an image server which automatically optimize no

A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI
A Simple and Comprehensive Vulnerability Scanner for Container Images, Git Repositories and Filesystems. Suitable for CI

A Simple and Comprehensive Vulnerability Scanner for Containers and other Artifacts, Suitable for CI. Table of Contents Abstract Features Installation

Cmsnr - cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

cmsnr Description cmsnr (pronounced "commissioner") is a lightweight framework for running OPA in a sidecar alongside your applications in Kubernetes.

Generic inquiry tool to OPA server for CI process, such as GitHub Actions

opaq opaq is a generic inquiry tool to OPA server. A major purpose of this tool is for inquiry in GitHub Actions. Features Data formatting: OPA server

Comments
  • How to use this with Gatekeeper

    How to use this with Gatekeeper

    I'm wondering if I can use this with Gatekeeper and if any guidance could be provided to load this into gatekeeper.

    I'm very new to OPA and Gatekeeper, so that is the origin of this request.

    opened by marcofranssen 4
Owner
Batuhan Apaydın
I do mostly Go, Kubernetes, and cloud-native stuff ⛵️🐰🐳 CNCF Istanbul & Go Turkey Organizer 🧑🏻‍💻
Batuhan Apaydın
🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

cosign-gatekeeper-provider To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying i

sigstore 47 Nov 7, 2022
runtime - an abstraction library on top of the Open Policy Agent (OPA)

runtime - an abstraction library on top of the Open Policy Agent (OPA) Introduction The "runtime" project is a library that sits on top of OPA. The go

 Aserto Inc 22 Nov 7, 2022
A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

opa-lambda-extension-plugin A custom plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension. To learn more about how Lambda Ex

GoDaddy 24 Oct 11, 2022
Amazon ECS Container Agent: a component of Amazon Elastic Container Service

Amazon ECS Container Agent The Amazon ECS Container Agent is a component of Amazon Elastic Container Service (Amazon ECS) and is responsible for manag

null 0 Dec 28, 2021
Shoes-agent - Framework for myshoes provider using agent

shoes-agent Framework for myshoes provider using agent. agent: agent for shoes-a

Tachibana waita 2 Jan 8, 2022
Stream, Mutate and Sign Images with AWS Lambda and ECR

ocistow About How it works Try it yourself Prerequisites CLI (cmd/ocistow) Lambda (cmd/ocistow-lambda) Deploy Invoke Verify signatures with =cosign= I

Martin Baillie 17 May 12, 2022
Keyless Git signing with cosign!

THIS PROJECT HAS MOVED! See https://github.com/sigstore/gitsign ?? smimecosign Keyless Git signing with cosign! This is heavily inspired by https://gi

Billy Lynch 11 May 12, 2022
Boxygen is a container as code framework that allows you to build container images from code

Boxygen is a container as code framework that allows you to build container images from code, allowing integration of container image builds into other tooling such as servers or CLI tooling.

nitric 5 Dec 13, 2021
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Ederson Brilhante 79 Nov 17, 2022
Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo

igo agent 英文 | 中文 Igo Agent is the agent of Igo, a command-line tool, through which you can quickly start Igo, and other capabilities may be added lat

null 1 Dec 22, 2021