🔮 ✈️ to integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying their signatures

Overview

cosign-gatekeeper-provider

To integrate OPA Gatekeeper's new ExternalData feature with cosign to determine whether the images are valid by verifying its signatures

This repo is meant for testing Gatekeeper external data feature. Do not use for production.

Installation

  • Deploy Gatekeeper with external data enabled (--enable-external-data)
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
helm install gatekeeper/gatekeeper  \
    --name-template=gatekeeper \
    --namespace gatekeeper-system --create-namespace \
    --set enableExternalData=true \
    --set controllerManager.dnsPolicy=ClusterFirst,audit.dnsPolicy=ClusterFirst

Let's install the cosign-gatekeeper-provider:

kubectl apply -f manifest

  • kubectl apply -f manifest/provider.yaml

    • Update url if it's not http://cosign-gatekeeper-provider.cosign-gatekeeper-provider:8090 (default)

  • kubectl apply -f policy/template.yaml

  • kubectl apply -f policy/constraint.yaml

Verification

To test this successfully, we should sign one of our images with cosign tool. So, let's do this first:

Generate key pair

$ cosign generate-key-pair

We have two files under policy/examples, one for valid manifest that contains signed image, the other is invalid. To do the same you should sign your image as I did:

$ crane copy alpine:latest devopps/alpine:signed
$ crane copy alpine:3.14 devopps/alpine:unsigned
$ cosign sign --key cosign.key devopps/signed:latest

So, once you are ready, let's apply these manifests one by one. It should allow deploying Pod for valid.yaml, and deny for the other one.

Issues
Owner
sigstore
software supply chain security
sigstore
The Elastalert Operator is an implementation of a Kubernetes Operator, to easily integrate elastalert with gitops.

Elastalert Operator for Kubernetes The Elastalert Operator is an implementation of a Kubernetes Operator. Getting started Firstly, learn How to use el

null 14 Nov 24, 2021
runtime - an abstraction library on top of the Open Policy Agent (OPA)

runtime - an abstraction library on top of the Open Policy Agent (OPA) Introduction The "runtime" project is a library that sits on top of OPA. The go

 Aserto Inc 15 Dec 5, 2021
A plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension.

opa-lambda-extension-plugin A custom plugin for running Open Policy Agent (OPA) in AWS Lambda as a Lambda Extension. To learn more about how Lambda Ex

GoDaddy 13 Nov 16, 2021
Plugin for Helm to integrate the sigstore ecosystem

helm-sigstore Plugin for Helm to integrate the sigstore ecosystem. Search, upload and verify signed Helm Charts in the Rekor Transparency Log. Info he

sigstore 22 Nov 4, 2021
A Go library for the Linux Landlock sandboxing feature

Go landlock library The Go landlock library provides an interface to Linux 5.13's Landlock kernel sandboxing features. The library provides access to

Günther Noack 33 Nov 17, 2021
Stackie enables developers to configure their local environment/toolchain with ease.

Stackie enables developers to configure their local environment/toolchain with ease. Made for Pulumi CLI, Google Cloud Platform (gcloud), and Amazon Web Services (aws-cli).

Bjerk AS 6 Sep 10, 2021
ControllerMesh is a solution that helps developers manage their controllers/operators better.

ControllerMesh ControllerMesh is a solution that helps developers manage their controllers/operators better. Key Features Canary update: the controlle

OpenKruise 10 Nov 29, 2021
Watchtower for Git: automatically keep local Git repositories up to date with their remotes

CrowsNest Watchtower for Git: automatically keep local Git repositories up to date with their remotes. Configuration Flags --run-once or -r: Normally

Simon 57 Nov 28, 2021
The GCP Enterprise Cloud Cost Optimiser, or gecco for short, helps teams optimise their cloud project costs.

gecco helps teams optimise their cloud resource costs. Locate abandoned, idle, and inefficiently configured resources quickly. gecco helps teams build

aeihr. 2 Oct 2, 2021
A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s.

A Kubernetes Operator, that helps DevOps team accelerate their journey into the cloud and K8s. OAM operator scaffolds all of the code required to create resources across various cloud provides, which includes both K8s and Non-K8s resources

Pavan Kumar 2 Oct 11, 2021
Viewnode displays Kubernetes cluster nodes with their pods and containers.

viewnode The viewnode shows Kubernetes cluster nodes with their pods and containers. It is very useful when you need to monitor multiple resources suc

NTTDATA-DACH 1 Nov 23, 2021
A helm v3 plugin to adopt existing k8s resources into a new generated helm chart

helm-adopt Overview helm-adopt is a helm plugin to adopt existing k8s resources into a new generated helm chart, the idea behind the plugin was inspir

Hamza ZOUHAIR 7 Nov 28, 2021
Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration, and automating updates to configuration when there is new code to deploy.

Flux is a tool for keeping Kubernetes clusters in sync with sources of configuration (like Git repositories), and automating updates to configuration when there is new code to deploy.

Flux project 2.5k Dec 6, 2021
Schmeckt wie Damals - Old recipes in new Format

Schmeckt wie Damals Historisches digitales Kochbuch, alte Rezepte in neuem Format Explore the docs » View Demo · Report Bug · Request Feature Inhaltsv

Georg Felix Dues 3 Sep 22, 2021
Explore Docker registries and manipulate Docker images!

L/S tags Utility and API to manipulate (analyze, synchronize and aggregate) images across different Docker registries. Example invocation $ lstags alp

Ivan Ilves 283 Nov 22, 2021
Packer is a tool for creating identical machine images for multiple platforms from a single source configuration.

Packer Website: https://www.packer.io IRC: #packer-tool on Freenode Mailing list: Google Groups Packer is a tool for building identical machine images

HashiCorp 13.3k Dec 5, 2021
k8s-image-swapper Mirror images into your own registry and swap image references automatically.

k8s-image-swapper Mirror images into your own registry and swap image references automatically. k8s-image-swapper is a mutating webhook for Kubernetes

Enrico Stahn 268 Nov 29, 2021
Vilicus is an open source tool that orchestrates security scans of container images(docker/oci) and centralizes all results into a database for further analysis and metrics.

Vilicus Table of Contents Overview How does it work? Architecture Development Run deployment manually Usage Example of analysis Overview Vilicus is an

Ederson Brilhante 74 Dec 1, 2021