🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

Overview

cosign-gatekeeper-provider

To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying its signatures

This repo is meant for testing Gatekeeper external data feature. Do not use for production.

Installation

  • Deploy Gatekeeper with external data enabled (--enable-external-data)
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper/gatekeeper  \
    --name-template=gatekeeper \
    --namespace gatekeeper-system --create-namespace \
    --set enableExternalData=true \
    --set controllerManager.dnsPolicy=ClusterFirst,audit.dnsPolicy=ClusterFirst

Let's install the cosign-gatekeeper-provider:

kubectl apply -f manifest

  • kubectl apply -f manifest/provider.yaml

    • Update url if it's not http://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090 (default)

  • kubectl apply -f policy/template.yaml

  • kubectl apply -f policy/constraint.yaml

Verification

To test this successfully, we should sign one of our images with cosign tool. So, let's do this first:

Generate key pair

$ cosign generate-key-pair

We have two files under policy/examples, one for valid manifest that contains signed image, the other is invalid. To do the same you should sign your image as I did:

$ crane copy alpine:latest devopps/alpine:signed
$ crane copy alpine:3.14 devopps/alpine:unsigned
$ cosign sign --key cosign.key devopps/signed:latest

So, once you are ready, let's apply these manifests one by one. It should allow deploying Pod for valid.yaml, and deny for the other one.

Comments
  • Security Policy violation Branch Protection

    Security Policy violation Branch Protection

    This issue was automatically created by Allstar.

    Security Policy Violation Dismiss stale reviews not configured for branch main


    This issue will auto resolve when the policy is in compliance.

    Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

    allstar 
    opened by allstar-app[bot] 14
  • Additional verification methods

    Additional verification methods

    Description

    Hi again! Thanks for the really awesome job you are doing!

    I'm looking into using this together with Azure Key Vault and Azure Container Registry. In my case, each namespace will have a separate key in Key Vault and the identity used by the provider will have verify access to each key.

    My idea is to add some config parameters to the provider to be able to configure how the verification is done and configured, but before starting anything I'd like to understand what plans you already have to make sure I align with them in the best possible way.

    Would you like some kind of formal proposal from me or something like that? Or maybe you don't want to provide those kinds of features with the provider and only use it as an example?

    Keep up the great work! 🚀👍🥇

    enhancement 
    opened by simongottschlag 5
  • add mage to run the build/test jobs and setup initial gh actions

    add mage to run the build/test jobs and setup initial gh actions

    Summary

    • fix go module name
    • add initial goreleaser (will add the sign and docker files)
    • setup mage to run the build/test commands
    • setup golangci-lint

    Ticket Link

    Fixes

    Release Note

    add mage to run the build/test jobs and setup initial gh actions 
    
    opened by cpanato 3
  • Fix link and formatting in README

    Fix link and formatting in README

    Summary

    Link was missing protocol, which led it to use this repo as base path for the link, rendering it invalid. kubectl command formatting to make it looks nicer.

    Ticket Link

    Fixes https://github.com/sigstore/cosign-gatekeeper-provider/issues/12

    Release Note

    NONE
    
    opened by Jonher937 0
  • Broken link in README

    Broken link in README

    Description The first cosign link in the README.md leads to: https://github.com/sigstore/cosign-gatekeeper-provider/blob/main/github.com/sigstore/cosign, however this is a 404.

    I assume the link should go to: https://github.com/sigstore/cosign ?

    enhancement 
    opened by Myothas 0
  • Verifying images using a generated public key

    Verifying images using a generated public key

    Description

    Hi!

    We'd like to have an opportunity to pass our own Cosign public key generated with cosign generate-key-pair to the provider. To use it the same way as 'cosign verify --key ...’

    Expectations:

    1. Generate a key pair using cosign generate-key-pair
    2. Sign an image
    3. Create a k8s secret/configmap for cosign.pub
    4. Pass the secret/configmap to cosign-gatekeeper-provider deployment
    5. Verify the images using the public key
    enhancement 
    opened by Anna-Katona 0
  • use panic-free logic

    use panic-free logic

    Signed-off-by: Furkan [email protected]

    Related issue: https://github.com/sigstore/cosign-gatekeeper-provider/issues/16 (This is not a fix PR)

    Bump cosign to use panic free fulcio during getting root certs: https://github.com/sigstore/cosign/pull/1965

    PTAL @developer-guy

    Summary

    Ticket Link

    Fixes

    Release Note

    * Bump cosign to v1.9.1
    * Use panic-free logic
    * Get root certs during initialization
    
    opened by Dentrax 1
  • Not able to verify container image in my k8s cluster

    Not able to verify container image in my k8s cluster

    Hi Team

    I would like to verify my container images before deploying to pod in my k8s cluster. I am trying to achieve this with cosign-gatekeeper-provider i.e https://github.com/sigstore/cosign-gatekeeper-provider I have signed the image using cosign but I am not able to verify images when I try to deploy pod using manifest in my cluster.

    I am getting following error:- error when creating “policy/examples/valid.yaml”: admission webhook “validation.gatekeeper.sh” denied the request: [cosign-gatekeeper-provider] invalid response: {“errors”: [], “responses”: [], “status_code”: 200, “system_error”: “VerifyImageSignatures: one of verifier or root certs is required”}

    I am able to verify container images using commands on my local command line i.e cosign verify .(But not inside k8s cluster). Looks like keys/cert information are not propagated to cluster

    Anything else you would like to add: I am not sure whether I should put this issue here or on cosign.

    Environment:

    Gatekeeper version:3.8.1

    bug 
    opened by mandeepgoyat 4
  • imagePullSecret support

    imagePullSecret support

    Looking at the examples, there is not imagePullSecret support currently? This is needed for things such as gitlab repo's where each project is protected.

    enhancement 
    opened by kfox1111 0
  • Cache KMS and registry credentials

    Cache KMS and registry credentials

    Description

    Right now, if I'm not mistaken, new credentials will be configured for each time we reach out to the KMS or registry.

    To make sure that we don't get rate limited, these credentials should be cached.

    enhancement 
    opened by simongottschlag 0
  • Cache for verification results

    Cache for verification results

    Description

    One issue that may arise as we start using this provider in production is that if the provider can't reach the registry or KMS it will fail. It would be like if we used imagePullPolicy: true.

    Results (at least successful) should be possible to cache and have a TTL.

    Maybe a CRD could be used to store the cache results as well?

    enhancement 
    opened by simongottschlag 0
Owner
Batuhan Apaydın
I do mostly #Go, #Kubernetes, and cloud-native stuff 🐱 🐳 ⛵️ Organizer at @goturkiye_ & Community Rel. at @devopstr 🧑🏻‍💻✍️
Batuhan Apaydın
go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data.

go-opa-validate go-opa-validate is an open-source lib that evaluates OPA (open policy agent) policy against JSON or YAML data. Installation Usage Cont

chenk 6 Nov 17, 2022
An easy-to-use XChaCha20-encryption wrapper for io.ReadWriteCloser (even lossy UDP) using ECDH key exchange algorithm, ED25519 signatures and Blake3+Poly1305 checksums/message-authentication for Go (golang). Also a multiplexer.

Quick start Prepare keys (on both sides): [ -f ~/.ssh/id_ed25519 ] && [ -f ~/.ssh/id_ed25519.pub ] || ssh-keygen -t ed25519 scp ~/.ssh/id_ed25519.pub

null 25 Nov 9, 2022
Go library to create/verify armored SSH signatures

Armored ssh signatures in go Package sshsig implements signing/verifying armored SSH signatures. You can use this package to sign data and verify sign

Wim 3 Sep 18, 2022
Redactionschemes - Golang Library for Redactable Signatures

Golang Library for Redactable Signatures ⚠️ WARNING ⚠️ THIS LIBRARY HAS NOT BEEN

null 1 Feb 17, 2022
mesh-kridik is an open-source security scanner that performs various security checks on a Kubernetes cluster with istio service mesh and is leveraged by OPA (Open Policy Agent) to enforce security rules.

mesh-kridik Enhance your Kubernetes service mesh security !! mesh-kridik is an open-source security scanner that performs various security checks on a

chenk 22 Aug 28, 2022
A RSA signing server model, allows to create valid signed certificates that cant be modified

Omega Description a RSA signing server model, allows to create valid signed certificates that cant be modified Requirements MySQL Server GoLang 1.17 I

null 0 Nov 15, 2021
Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.

Subfinder is a subdomain discovery tool that discovers valid subdomains for websites by using passive online sources. It has a simple modular architecture and is optimized for speed. subfinder is built for doing one thing only - passive subdomain enumeration, and it does that very well.

Trewis [work] Scotch 5 Sep 30, 2022
Naabu - a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner

Naabu is a port scanning tool written in Go that allows you to enumerate valid ports for hosts in a fast and reliable manner. It is a really simple tool that does fast SYN/CONNECT scans on the host/list of hosts and lists all ports that return a reply.

null 0 Jan 2, 2022
Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user.

Driftwood is a tool that can enable you to lookup whether a private key is used for things like TLS or as a GitHub SSH key for a user. Drift

Truffle Security 311 Nov 21, 2022
Tool to check whether one of your applications is affected by a vulnerability in log4j: CVE-2021-44228

log4shell.tools log4shell.tools is a tool allows you to run a test to check whether one of your applications is affected by a vulnerability in log4j:

Alexander Bakker 66 Nov 2, 2022
Integrate Snyk into Harbor

Harbor Snyk Scanner Harbor Snyk Scanner is a scanner adaptor for Harbor to integrate scan results from Snyk. The project is currently work in progress

Rico Berger 0 Sep 6, 2022
Friends don't let friends leak secrets on their terminal window

senv - safer env Friends don't let friends leak secrets in terminal windows. ?? Print your environment to the terminal without worry.

null 104 Oct 26, 2022
Gorsair hacks its way into remote docker containers that expose their APIs

Gorsair Gorsair is a penetration testing tool for discovering and remotely accessing Docker APIs from vulnerable Docker containers. Once it has access

Brendan Le Glaunec 773 Nov 22, 2022
Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own endpoint.

?? security-slacker Pokes users on Slack about outstanding risks found by Crowdstrike Spotlight or vmware Workspace ONE so they can secure their own e

Niels Hofmans 20 Nov 9, 2022
set of web security test cases and a toolkit to construct new ones

Webseclab Webseclab contains a sample set of web security test cases and a toolkit to construct new ones. It can be used for testing security scanners

Yahoo 915 Nov 11, 2022
Manfred Touron 225 Nov 26, 2022
Libdns-exoscale - A template for developers to use when creating new libdns provider implementations

DEVELOPER INSTRUCTIONS: This repo is a template for developers to use when creat

Dieter Wimberger 0 Jan 18, 2022
FunctionStomping (using golang) : A new shellcode injection technique.

goFunctionStomping FunctionStomping using golang Description This is a brand-new technique for shellcode injection to evade AVs and EDRs. This techniq

3rsh1 61 Oct 12, 2022