kubectl plugin for signing Kubernetes manifest YAML files with sigstore

Overview

k8s-manifest-sigstore

kubectl plugin for signing Kubernetes manifest YAML files with sigstore

⚠️ Still under developement, not ready for production use yet!

This kubectl subscommand plugin enables developer to sign k8s manifest yaml files and deployment teams to verify the authenticity of configurations. Not only is this possible for developers to sign and verify, but the integrity of deployed manifests can be confirmed on a k8s cluster.

intro

Installation

The plugin is a standalone executable file kubectl-sigstore.

To build this file, run the following.

git clone [email protected]:sigstore/k8s-manifest-sigstore.git
cd k8s-manifest-sigstore
make

You will find new file kubectl-sigstore.

To install the plugin, move this executable file to any location on your PATH.

Usage (bundle image on OCI registry)

Usage:
  kubectl sigstore [flags]
  kubectl sigstore [command]

Available Commands:
  apply-after-verify A command to apply Kubernetes YAML manifests only after verifying signature
  sign               A command to sign Kubernetes YAML manifests
  verify             A command to verify Kubernetes YAML manifests
  verify-resource    A command to verify Kubernetes manifests of resources on cluster

To use keyless signing, set export COSIGN_EXPERIMENTAL=1

Sign k8s yaml manifest files as bundle OCI image

K8s YAML files are bundled as image, and then pushed to OCI registory. Then, it is signed with cosign. A bundle image reference is added in metadata.annotations in manifest yaml by default.

kubectl sigstore sign -f foo.yaml --image bundle-bar:dev

Inserting annotation can be disabled by adding --annotation=false option. (If annotation is not added, --image option must be supplied when verifying signature.)

kubectl sigstore sign -f foo.yaml --image bundle-bar:dev --annotation=false

Verify a k8s yaml manifest file

kubectl sigstore verify -f foo.yaml

An image reference can be supplied with command option.

kubectl sigstore verify -f foo.yaml --image bundle-bar:dev

Create resource with a k8s yaml manifest file after verifying signature

kubectl sigstore apply-after-verify -f foo.yaml -n ns1

Verify a k8s yaml manifest of deployed resource with signature

kubectl sigstore verify-resource cm foo -n ns1

Commands

Usage:
  kubectl-sigstore sign -f <YAMLFILE> [-i <IMAGE>] [flags]

Flags:
  -a, --annotation              whether to update annotation and generate signed yaml file (default true)
  -f, --filename string         file name which will be signed (if dir, all YAMLs inside it will be signed)
  -h, --help                    help for sign
  -i, --image string            signed image name which bundles yaml files
  -k, --key string              path to your signing key (if empty, do key-less signing)
  -o, --output <input>.signed   output file name (if empty, use <input>.signed)
Usage:
  kubectl-sigstore verify -f <YAMLFILE> [-i <IMAGE>] [flags]

Flags:
  -f, --filename string   file name which will be signed (if dir, all YAMLs inside it will be signed)
  -h, --help              help for verify
  -i, --image string      signed image name which bundles yaml files
  -k, --key string        path to your signing key (if empty, do key-less signing)
Usage:
  kubectl-sigstore apply-after-verify -f <YAMLFILE> [-i <IMAGE>] [flags]

Flags:
  -f, --filename string   file name which will be signed (if dir, all YAMLs inside it will be signed)
  -h, --help              help for apply-after-verify
  -i, --image string      signed image name which bundles yaml files
  -k, --key string        path to your signing key (if empty, do key-less signing)
Usage:
  kubectl-sigstore verify-resource <options> [-i <IMAGE>] [flags]

opitons are same as "kubectl get"

Flags:
  -h, --help               help for verify-resource
  -i, --image string       signed image name which bundles yaml files
  -k, --key string         path to your signing key (if empty, do key-less signing)
  -n, --namespace string   namespace of specified resource

Security

Should you discover any security issues, please refer to sigstores security process

Info

k8s-manifest-sigstore is developed as part of the sigstore project.

We also use a slack channel! Click here for the invite link.

Issues
  • bump up cosign version to v1.5.1

    bump up cosign version to v1.5.1

    Signed-off-by: Naman Lakhwani [email protected]

    Summary

    • bump up cosign version to v1.5.1

    Additional context

    We were facing an issue while importing this pkg in kyverno: github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest

    error log:

    go: finding module for package github.com/sigstore/fulcio/pkg/client
    github.com/kyverno/kyverno/pkg/engine imports
            github.com/sigstore/k8s-manifest-sigstore/pkg/k8smanifest imports
            github.com/sigstore/k8s-manifest-sigstore/pkg/cosign imports
            github.com/sigstore/fulcio/pkg/client: package github.com/sigstore/fulcio/pkg/client provided by github.com/sigstore/fulcio at latest version v0.1.1 but not at required version v0.1.2-0.20220114150912-86a2036f9bc7
    
    opened by Namanl2001 11
  • Security Policy violation Branch Protection

    Security Policy violation Branch Protection

    This issue was automatically created by Allstar.

    Security Policy Violation Dismiss stale reviews not configured for branch main Block force push not configured for branch main


    This issue will auto resolve when the policy is in compliance.

    Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.

    allstar 
    opened by allstar-app[bot] 3
  • Bump github.com/sigstore/cosign from 1.5.1 to 1.5.2

    Bump github.com/sigstore/cosign from 1.5.1 to 1.5.2

    Bumps github.com/sigstore/cosign from 1.5.1 to 1.5.2.

    Release notes

    Sourced from github.com/sigstore/cosign's releases.

    v1.5.2 - CVE-2022-23649

    This release contains fixes for CVE-2022-23649, affecting signature validations with Rekor. Only validation is affected, it is not necessary to re-sign any artifacts. See: https://github.com/sigstore/cosign/security/advisories/GHSA-ccxc-vr6p-4858

    Changelog

    • 8ffcd12 Cherry-pick release notes for 1.5.1 and 1.5.2 (#1487)
    • c09e04a Cherry pick vulnerability PRs to release-1.5 (#1486)
    • 52164f2 cherry picks to release-1.5 branch (#1482)

    Thanks for all contributors!

    Changelog

    Sourced from github.com/sigstore/cosign's changelog.

    v1.5.2

    Security Fixes

    • CVE-2022-23649 - Make sure signature in Rekor bundle matches signature being verified

    Others

    Contributors

    Commits

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
    • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
    • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
    • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

    You can disable automated security fix PRs for this repo from the Security Alerts page.

    dependencies 
    opened by dependabot[bot] 3
  • Keyless signing does not provide input prompt in device mode

    Keyless signing does not provide input prompt in device mode

    Description

    I am trying to use the keyless signing flow for signing a YAML file, and the command exits without providing a prompt to input the code:

    I am using a windows / WSL2 environment and tried both windows and Linux:

    On Ubuntu:

    ❯ kubectl-sigstore sign -f ~/kyverno.yaml
    
    INFO[0001] Using payload from: /tmp/kubectl-sigstore-temp-dir2575530188/tmp-blob-file
    Generating ephemeral keys...
    Retrieving signed certificate...
    error opening browser: exec: "xdg-open": executable file not found in $PATH
    Go to the following link in a browser:
    
             https://oauth2.sigstore.dev/auth/auth?access_type=online&client_id=sigstore&code_challenge=HVOHq8qZZUA3gcaeJbmhaWt-UTuLUOI_g6zd_ASzr7c&code_challenge_method=S256&nonce=21Zmm4YNIusln2axEqbJC8Xnroo&redirect_uri=urn%3Aietf%3Awg%3Aoauth%3A2.0%3Aoob&response_type=code&scope=openid+email&state=21Zmm4hHlnSDYzg8uqvNFQUSJyd
    Enter verification code:
    FATA[0001] error occurred during signing: failed to sign the specified content: failed to sign a blob file: cosign.SignBlobCmd() returned an error: getting key from Fulcio: retrieving cert: oauth2: cannot fetch token: 400 Bad Request
    Response: {"error":"invalid_request","error_description":"Required param: code."}
    
    

    On Windows:

    λ kubectl-sigstore sign -f C:\tmp\kyverno\kyverno.yaml
    time="2021-11-27T18:11:19-08:00" level=info msg="Enter the verification code WNDB-WQTN in your browser at: https://oauth2.sigstore.dev/auth/device?user_code=WNDB-WQTN\nCode will be valid for 300 seconds\nUsing payload from: C:\\Users\\jim\\AppData\\Local\\Temp\\kubectl-sigstore-temp-dir635928500\\tmp-blob-file\nGenerating ephemeral keys...\nRetrieving signed certificate...\nNon-interactive mode detected, using device flow.\n"
    time="2021-11-27T18:11:19-08:00" level=fatal msg="error occurred during signing: failed to sign the specified content: failed to sign a blob file: cosign.SignBlobCmd() returned an error: getting key from Fulcio: retrieving cert: error obtaining token: expired_token"
    
    
    bug 
    opened by JimBugwadia 2
  • image annotations added for signing/verifying process

    image annotations added for signing/verifying process

    This PR aims to add support for the signing and verifying process with annotations.

    Notes for the reviewer:

    • We have one breaking change in this PR, we change the flag annotation to annotation-metadata.

    Screen Shot 2021-07-08 at 23 18 50

    opened by developer-guy 2
  • Add initial codes for kubectl signing plugins (#1)

    Add initial codes for kubectl signing plugins (#1)

    Signed-off-by: Yuji Watanabe [email protected] Co-authored-by: Hirokuni-Kitahara1 [email protected]

    This is PR to add initial codes to the repository.

    Issue => https://github.com/sigstore/k8s-manifest-sigstore/issues/3

    opened by yuji-watanabe-jp 2
  • fix compression codes so that it can generate consistent message for the identical input

    fix compression codes so that it can generate consistent message for the identical input

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • fix compression codes so that it can generate consistent message when the same YAML manifest is signed multiple times
    • add test case for checking the message consistency
    opened by hirokuni-kitahara 1
  • Switch DSSE provider to go-securesystemslib

    Switch DSSE provider to go-securesystemslib

    Summary

    Switches from using github.com/in-toto/in-toto-golang/pkg/ssl to github.com/secure-systems-lab/go-securesystemslib/dsse.

    Ticket Link

    N/A. See: https://github.com/in-toto/in-toto-golang/pull/122

    Release Note

    Uses new provider for DSSE.
    
    opened by adityasaky 1
  • update content based manifest search

    update content based manifest search

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    • update content based manifest search method
    • update verify functions so that it could handle multiple candidate manifests
    • add a config option for the maximum number of candidates
    opened by hirokuni-kitahara 1
  • Extend verify-resource sub-command

    Extend verify-resource sub-command

    Description This issue is the proposal to extend verify-resource subcommand to allow the following features.

    verify-resource subcommand allows user to inspect resources according to the sigstore signing.

    • k8s manifest file is used to to deploy resources onto cluster by using kubectl. Many k8s apps are using this installation pattern today.
    • k8s manifest file is uploaded as bundle image to OCI registry, and signed by using cosign sign.
    • Later, user want to verify if the current state of resources are not tampered (unchanged from the state defined in the signed k8s manifest file).

    In this verification, signed manifest is specified in metadata annotation of each resources, or command option explicitly. If the resource is not changed from the signed manifest, it is reported as valid.

    Two usage patterns of this sub-command.

    1. A user specifies the resources by command options and checks if they are not changed from signed manifest. (signed manifest specified in metadata annotation is used in this case.)
    kubectl sigstore verify-resource cm -n myapp
    

    Resources can be specified by manifest.

    kubectl get deploy -n myapp | kubectl sigstore verify-resource -f -
    
    1. A user specifies the signed manifest and verifies if the resources deployed from the manifest is not changed from the signed state
    # build manifest
    kustomize build ~/myapp > manifest.yaml
    
    # sign manifest
    kubectl sigstore sign manifest.yaml -i manifest-bundle:dev
    
    # deploy application
    kubectl apply -n myapp -f manifest.yaml
    
    # verify application with signed manifest
    kubectl sigstore verify-resource -n myapp -i manifest-bundle:dev
    

    Features to be extended

    • [x] allow user to specify resources by file
    • [x] allow user to specify resources by bundle image
    • [x] support both keyless and keyed signing
    • [x] output format (pretty, json, yaml)
    • [x] allow to specify configuration to skip check

    Expected

    Usage:
      kubectl sigstore verify-resource (RESOURCE/NAME | -f FILENAME | -i IMAGE) [options]
    
    Flags:
      -c, --config string                  path to verification config YAML file (for advanced verification)
      -f, --filename string                manifest filename
      -i, --image string                   a comma-separated list of signed image names that contains YAML manifests
      -k, --key string                     path to your signing key (if empty, do key-less signing)
      -n, --namespace string               If present, the namespace scope for this CLI request
      -o, --output string                  output format string, either "json" or "yaml" (if empty, a result is shown as a table)
    
    enhancement 
    opened by yuji-watanabe-jp 1
  • support pattern based multiple resource specification in verify-resource command

    support pattern based multiple resource specification in verify-resource command

    Signed-off-by: Hirokuni-Kitahara1 [email protected]

    This PR is to enable pattern based multi resource specification in kubectl sigstore verify-resource command. Users will be able to specify multiple resources on cluster as exactly same as kubectl get command.

    The corresponding issue: https://github.com/sigstore/k8s-manifest-sigstore/issues/5

    enhancement 
    opened by hirokuni-kitahara 1
  • Go install doesn't work due to checksum mismatch

    Go install doesn't work due to checksum mismatch

    Description

    The latest go install isn't working due to a checksum mismatch. It should be able to install using @latest tag.
    go version go1.17.2 darwin/amd64
    
    ...
    
    go install github.com/sigstore/k8s-manifest-sigstore/cmd/[email protected]
    
    go: downloading github.com/sigstore/k8s-manifest-sigstore v0.1.0
    go install: github.com/sigstore/k8s-manifest-sigstore/cmd/[email protected]: github.com/sigstore/[email protected]: verifying module: checksum mismatch
    	downloaded: h1:hEGzVLLm5wdwrxkThgo1VKEE6JH68OKz+gXKQN9eQl8=
    	sum.golang.org: h1:NKVclDH/UFHBSYPVvgKbOwLLi8WTjvtiHOW8vY+E9kg=
    
    SECURITY ERROR
    This download does NOT match the one reported by the checksum server.
    The bits may have been replaced on the origin server, or an attacker may
    have intercepted the download attempt.
    
    bug 
    opened by jonahjon 1
  • Double gzip of message (which seems unnecessary?)

    Double gzip of message (which seems unnecessary?)

    "cosign.sigstore.dev/message" annotation is double gzipped:

    $ kubectl sigstore sign -f configmap.yaml -k cosign.key
    Enter password for private key: INFO[0001] 0D )2kQ????GoJ? ?\-nwY?g(RUsing payload from: /tmp/kubectl-sigstore-temp-dir3932530381/tmp-blob-file
    INFO[0001] signed manifest generated at configmap.yaml.signed
    
    
    $ cat configmap.yaml.signed
    apiVersion: v1
    data:
      game.properties: "enemy.types=aliens,monsters\nplayer.maximum-lives=5    \n"
      player_initial_lives: "3"
      ui_properties_file_name: user-interface.properties
      user-interface.properties: "color.good=purple\ncolor.bad=yellow\nallow.textmode=true
        \   \n"
    kind: ConfigMap
    metadata:
      annotations:
        cosign.sigstore.dev/message: H4sIAAAAAAAA/wCoAVf+H4sIAAAAAAAA/+yUT4ucTBDGPfspijm/Oq3t6LyCp1xyCeSU04BUxhop0v/objdjQr57cCbLJoEhy4ZssuDvUlIPWo9FP72N2m2PVjtPIbAZs4g+Gz/VxV5KUe3327d4fk04kA+52B6tOfG
    o0eUzapU8EnHlVhWiKh+el34pKtEkcH7sgN9hChF9IsRzzPoHKRoYeehqIcpa7AqZFg1MS0M2/5elrGX6tx2u/El+mf+nRf4HllDXVXUz/7uyToqqqKQUshFVIsqiqKsEniWT9/lXduKBUT/1Oz//3AsBHb8jH9iaFu6KdMCIbQowoqbceevIR6bQwoYM6TmPs6P
    QoWIy4T9tTYjkw8E4hTP5XOOZ9aQzxXcUuh0AwMFsUoCr3rPhyKj6i97CRi7axP3DoP7EinqDmlqYAvmMTSR/wuP3bpaXbmktbI5WWZ+P1g6dm7xTdDDX1nscupmUsh8PBpeSRzpHbQfqop8ovfj95vkDm6GFV5fD/wZdqini/XLQGBsxsjWhhc9fUoCr4WVp2UD
    arnfmysrKC+BrAAAA//9dtdDzAAwAAAEAAP//Q7giKagBAAA=
        cosign.sigstore.dev/signature: MEQCICkya4hRxbvCucT8qxmB3bW916f8R9ZvSoUPngbflpnaAiAf1qT84B9cov2c6xAtvW649NZ3WcWZrhNnf7PcKOdS2w==
      name: game-demo
    
    
    $ < configmap.yaml.signed yq -rc '.metadata.annotations."cosign.sigstore.dev/message"' | base64 -d | gunzip -c -
    OL=)9:\r        T)n7cB{p&&!?lRRZE?mV;O!>^JQx~M893j<qV*~)*$p~a
    }"s)yj!Z
    LKC6eI~EPUu3NU"?%WvQ?;?
                           #?tm
    0yG
       9?b2?mM83\3wlR?F.??zZM$nni-lVYSt0{G:Gm?(W])[email protected]?w
                                                           k]
                                                             
    
    
    $ < configmap.yaml.signed yq -rc '.metadata.annotations."cosign.sigstore.dev/message"' | base64 -d | gunzip -c - | gunzip -c -
    /tmp/compressing-tar-gz618330488/PaxHeaders.0/configmap.yaml0000000000000000000000000000004200000000000020407 xustar0017 gid=600260513
    17 uid=637922363
    /tmp/compressing-tar-gz618330488/configmap.yaml0000644000000000000000000000052614143303704021164 0ustar00user00000000000000apiVersion: v1
    data:
      game.properties: "enemy.types=aliens,monsters\nplayer.maximum-lives=5    \n"
      player_initial_lives: "3"
      ui_properties_file_name: user-interface.properties
      user-interface.properties: "color.good=purple\ncolor.bad=yellow\nallow.textmode=true
        \   \n"
    kind: ConfigMap
    metadata:
      annotations: {}
      name: game-demo
    
    question 
    opened by lewisdiamond 1
  • Enable manifest build provenance

    Enable manifest build provenance

    Description

    In kubectl sigstore verify-resource subcommand (see #13), a user specifies the signed manifest and verifies if the resources deployed from the manifest are not changed from the signed state.

    # build manifest
    kustomize build ~/myapp > manifest.yaml
    
    # sign manifest
    kubectl sigstore sign manifest.yaml -i manifest-bundle:dev
    
    # deploy application
    kubectl apply -n myapp -f manifest.yaml
    
    # verify application with signed manifest
    kubectl sigstore verify-resource -n myapp -i manifest-bundle:dev
    

    However, all the details below for building manifest are not in the generated manifest itself.

    • which source files are used for building manifests.
    • who run the build command
    • what command is executed (for reproducibility)

    The goal of this issue is to allow a user to track how the manifest is built.

    This issue is the proposal to extend kubectl sigstore subcommands to allow the following features.

    1. manifest-build sub command

    • build manifest with template engine (e.g. kustomize)
    • generate provenance data in intoto attestation format, which includes source materials (file hash or git url, commit, etc.) and built manifest
    • push provenance data to Rekor

    2. verify-resource sub command (extension to #13)

    • verify-resource command allows us to verify if the current state of resources are not tampered (unchanged from the state defined in the signed k8s manifest file).
    • New support of option --provenance option allows us to get provenance records of signed manifest for the k8s resources on cluster. The provenance explains how the manifest was built from the source files.

    Implementation

    • In manifest-build subcommand, all the source files used for building manifest are included in provenance.yaml file in in-toto format. kustomize template files could refer to the multiple git repositories during manifest build. For identifying all the source files, git repositories specified in kustomization.yaml files are traversed recursively.

    • provenance record is available in Rekor with hash value for the manifest image. So, the verify-resource subcommand with --provenance option gets a provenance record for the manifest image used for verifying a resource on a cluster.

    Usage scenario

    Let's walk through the usage scenario below to explain how the proposed sub-commands (manifest-build, verify-resource) works. Sample app is borrowed from here.

    .
    ├── README.md
    ├── configMap.yaml
    ├── deployment.yaml
    ├── kustomization.yaml
    └── service.yaml
    
    # Build manifest with provenance
    $ kubectl sigstore manifest-build --kustomize -dir . --provenance provenace.json -i gcr.io/fifth-moment-319802/sample-manifest:dev > manifest.yaml
    $ cat manifest.yaml | grep -E "^kind:"
    kind: ConfigMap
    kind: Service
    kind: Deployment
    
    # Sign manifest.yaml
    $ cosign sign -key cosign.key gcr.io//sample-manifest:dev
    
    # Upload provenance record to Rekor
    $ rekor-cli upload --artifact ./provenance.json --public-key cosign.pub --type intoto --pki-format x509
    
    # deploy app
    $ kubectl apply -f manifest.yaml -n default
    
    # verify resources on cluster
    $ kubectl sigstore verify-resource -n default -i gcr.io/fifth-moment-319802/sample-manifest:dev -k cosign.pub --provenance
    
    [SUMMARY]
    TOTAL   VALID   INVALID
    3       3       0
    
    [MANIFESTS]
    NAME                                            SIGNED   SIGNER   ATTESTATION   SBOM
    gcr.io/fifth-moment-319802/sample-manifest:dev   true     N/A      found         -
    
    [RESOURCES]
    KIND         NAME             VALID
    ConfigMap    the-map          true
    Service      the-service      true
    Deployment   the-deployment   true
    
    [RESOURCES - PODS/CONTAINERS]
    POD                               CONTAINER       IMAGE ID                                                                                           ATTESTATION   SBOM
    the-deployment-75b9678fbb-5ztp7   the-container   docker.io/monopole/[email protected]:c8273383d314bfb945f5a879559599990f055da92ee078bf0f960e006c8ebe8b   -             -
    the-deployment-75b9678fbb-7zlzv   the-container   docker.io/monopole/[email protected]:c8273383d314bfb945f5a879559599990f055da92ee078bf0f960e006c8ebe8b   -             -
    the-deployment-75b9678fbb-jqd55   the-container   docker.io/monopole/[email protected]:c8273383d314bfb945f5a879559599990f055da92ee078bf0f960e006c8ebe8b   -             -
    
    [PROVENANCES - ATTESTATIONS]
    ARTIFACT           gcr.io/fifth-moment-319802/sample-manifest:dev
    MATERIALS   URI    kustomization.yaml
                HASH   7f9567086eb86f1778a2dee77d9c70d0399de59a9df5d5828547e20532279ec6
                URI    deployment.yaml
                HASH   d9501d2adfaa48d9f9f94fbac0ed24074fbf311cd7d16d1920bdac259e01ae20
                URI    service.yaml
                HASH   8793d287579a9ed1590c41c600c60fa634d205523b56860425f38102a00e12fb
                URI    configMap.yaml
                HASH   78d9149b6e67fdcdf395069f8497cab474c95033a5733beddda7858e6b9dbd24
    
    enhancement 
    opened by yuji-watanabe-jp 1
Releases(v0.3.0)
  • v0.3.0(Jun 10, 2022)

    Features

    • Verification features are all "read-only" in this version!
      • k8s-manifest-sigstore does not create/update/delete any files including temporary files while verification.
      • This allows some external projects to implement verify-resource in a read-only container or in some least privileged environment.
    • Support multiple ways to input public key
      • Public key in a Kubernetes secret can be input with k8s://SECRET_NAMESPACE/SECRET_NAME.
      • PEM string of a public key in an environment variable can be input with env://ENV_VAR_NAME.
    • Prepare an example code to use verify-resource with a custom configuration in your project
      • Add an example code for developers to know how to implement verify-resource with a custom configuration in their go project.
    • Support multiple signatures for verification
      • multiple signatures can be specified in AnnotationConfig for verification functions both from CLI and from codes.
      • when multiple ones are specified, verification passes if at least one signature is successfully verified.
    • Enhance manifest matching in "verify-resource"
      • Add a new CheckMutatingResource option to verify a resource which is possibly mutated by multiple webhooks.
      • Add a new DisableDryRun option to disable dry run while verify-resoure.
    • Update cosign version to v1.8.0

    A detail description of this release is here.

    Contributors

    • Hiro Kitahara
    • Naman Lakhwani

    Thank you for all contributors!

    Changelog

    • 7f1b707 support multiple signatures for verification (#77)
    • 23559de update release note for v0.3.0 (#76)
    • 3d9f86c support public key from environment variable as cosign does (#75)
    • 61bc186 add DisableDryRun option for VerifyResource (#74)
    • f86f7f0 fix typo (#71)
    • f31cea5 add example usage of k8smanifest.VerifyResource() with a custom configuration (#73)
    • 5fdcfc7 bump cosign version to v1.8.0 (#72)
    • 1c9e624 support image canonicalization for admission verification (#69)
    • a4fd8cf support verification for multiple mutating webhooks (#68)
    • adfc287 enable direct manifest match by namespace pattern check (#67)
    • ed26e30 fix armored gpg public key issue (#66)
    • ad885d6 support public key in a kubernetes secret for all signature types (#65)
    • fb9f640 support all cosign keyRef types (#64)
    • 02581ee enable verification on read-only filesystem (#63)
    • bee9ea0 bump up cosign version to v1.5.2 (#62)
    • 7d66327 bump up cosign version to v1.5.1 (#59)
    • a39c4d3 fix keyed verification issue when experimental enabled (#58)
    • 78aa677 bump up cosign version to v1.4.1 (#57)
    • 5661e6f fix blob signing issue on wsl2 (#55)
    • 04091c4 fix issue in signing for concatenated YAML manifests (#54)
    • f46d6c8 bump up cosign to v1.3.1 (#52)
    Source code(tar.gz)
    Source code(zip)
    k8s-manifest-sigstore_checksums.txt(388 bytes)
    kubectl-sigstore-darwin-amd64(83.40 MB)
    kubectl-sigstore-darwin-arm64(86.06 MB)
    kubectl-sigstore-linux-amd64(84.09 MB)
    kubectl-sigstore-windows-amd64.exe(83.78 MB)
  • v0.1.0(Oct 7, 2021)

    This is the first release of the project!

    A description of this release is here.

    Features

    • Easy use as a kubectl subcommand plugin
      • Users can install it easily by go install command. (installation)
      • Once installed, users can use it by a simple command like kubectl sigstore sign -f xxxxxx.yaml .
    • Signing Kubernetes YAML manifest specification
      • Sign "specification" of Kubernetes YAML manifests. A generated signature is composed of an encoded YAML manifest, signature payload and some other data. This encoded manifest is compared to a target manifest for equivalence checking at the time of verification.
      • There are 2 options how to store a generated signature.
        1. self-contained ... Embed signature into YAML manifests.
        2. external store ... Upload manifest & signature to OCI registry (= upload manifest bundle image). There is no need to change YAMLs in this case.
    • Verifying YAML manifests specification
      • Verify a local YAML manifest file by checking YAML specification as described above. If signature is not provided or if the manifest specification has been changed after signing, the verification fails.
    • Verifying Kubernetes resources that exist on a cluster
      • Kubernetes resources on a cluster can be verified with signature which is generated against YAML manifests.
      • There are 2 ways to specify resources.
        • Use the same arguments as kubectl get. For example, kubectl sigstore verify-resource cm -n default sample-cm.
        • By specifying manifest bundle image in OCI registry, it automatically selects the target resources. For example, kubectl sigstore verify-resource -n default -i sample-registry/sample-cm-manifest:dev.

    Contributors

    • Hiro Kitahara
    • Luke Hinds
    • Batuhan Apaydın
    • Aditya Sirish
    • Yuji Watanabe
    • dlorenc

    Thank you to all our contributors!!

    Changelog

    9ac7653 add a latest release doc (#50) c0b9d67 fix issue of signing a directory (#49) d7afc29 Switch DSSE provider to go-securesystemslib (#48) 4421fbf add github action to prepare for release v0.1.0 (#47) f1329bb add github actions for releasing and enable go install (#46) 04236a2 add github action for tests and lint (#45) 6f446ea bump cosign version up to 1.2.0 (#44) a8a0ec1 add e2e test and move related packages (#43) 1d5ef2f improve unit test coverage in core packages (#42) 2120192 bump cosign up to v1.1.0 (#41) eeb8906 enable version command to show version of the executable (#40) 5bc6630 update admission controller example with the latest verify-resource codes (#39) 1922b2a improve verify-resource speed with concurrency in go (#36) 20bbc69 enable local file cache for verify-resource speed up (#37) d360794 improve constraint option and update default profile (#35) c4245c9 add manifest-build command for YAML manifest provenance (#34) 1767e96 enable to get signature and provenance from a resource in a cluster (#33) b0ebd0e add provenance tracking option to verify-resource command (#32) 7bf33d6 add support of verifying pgp and x509 signatures (#30) 3af3485 enable to load config from constraint resource in a cluster (#31) a32b6c6 fix input path issue in sign command (#29) 06f664e fix manifest detection config bug (#28) 3281adc Pick a resource from N resources in manifest file robustly (#27) d6c202d support directly attached signature and related things into k8s annotations (#23) 437f81f add dryrun namespace option to verifyresourceoption (#24) 67f63f7 update go.mod (#22) 989d586 fix sign to set oidc option (#21) a9407f0 bump up cosign version to v1.0.1 (#20) 65741c2 support non-compressed YAML manifest in manifest image (#19) 720a2b8 enable robust search mechanism for finding YAML manifest (#17) 88eb6dc update cosign version to v0.6.0 (#18) eac5e6a extend verify-resource subcommand capability (#16) 3adf7ff image annotations added for signing/verifying process (#15) d1cb533 Fix a few typos in the README. (#14) 86c17f5 fix for using public key, if public key used disable tlog (#12) 3f7db77 enable to output verify-resource result in JSON/YAML format (#10) f9007b1 refactor codes and add known k8s ignore fields (#9) 8db49ca Add initial codes for kubectl signing plugins (#1) (#4) e6625d6 CodeQL action (#2) 7262bc0 Create codeql-analysis.yml 38e9dd7 Merge pull request #1 from lukehinds/proj-bootstrap acb4e79 Project bootstrap fffb294 Initial commit

    Source code(tar.gz)
    Source code(zip)
    k8s-manifest-sigstore_checksums.txt(388 bytes)
    kubectl-sigstore-darwin-amd64(73.41 MB)
    kubectl-sigstore-darwin-arm64(75.50 MB)
    kubectl-sigstore-linux-amd64(74.05 MB)
    kubectl-sigstore-windows-amd64.exe(73.80 MB)
Owner
sigstore
software supply chain security
sigstore
kube-champ 39 Aug 6, 2022
kubectl-fzf provides a fast and powerful fzf autocompletion for kubectl

Kubectl-fzf kubectl-fzf provides a fast and powerful fzf autocompletion for kubectl. Table of Contents Kubectl-fzf Table of Contents Features Requirem

null 1 Nov 3, 2021
Kubectl golang - kubectl krew template repo

kubectl krew template repo There's a lot of scaffolding needed to set up a good

geodis 0 Jan 11, 2022
Kubectl Locality Plugin - A plugin to get the locality of pods

Kubectl Locality Plugin - A plugin to get the locality of pods

John Howard 6 Nov 18, 2021
Kubectl plugin to ease sniffing on kubernetes pods using tcpdump and wireshark

ksniff A kubectl plugin that utilize tcpdump and Wireshark to start a remote capture on any pod in your Kubernetes cluster. You get the full power of

Eldad Rudich 2.4k Aug 12, 2022
Kubectl plugin to run curl commands against kubernetes pods

kubectl-curl Kubectl plugin to run curl commands against kubernetes pods Motivation Sending http requests to kubernetes pods is unnecessarily complica

Segment 154 Aug 4, 2022
kubectl plugin for generating nginx-ingress compatible basic-auth secrets on kubernetes clusters

kubectl-htpasswd kubectl plugin for easily generating hashed basic auth secrets. Supported hash algorithms bcrypt Examples Create the secret on the cl

Christian Rebischke 16 Jul 17, 2022
A very simple, silly little kubectl plugin / utility that guesses which language an application running in a kubernetes pod was written in.

A very simple, silly little kubectl plugin / utility that guesses which language an application running in a kubernetes pod was written in.

Tom Granot 2 Mar 9, 2022
Stuff to make standing up sigstore (esp. for testing) easier for e2e/integration testing.

sigstore-scaffolding This repository contains scaffolding to make standing up a full sigstore stack easier and automatable. Our focus is on running on

Ville Aikas 28 Aug 15, 2022
resource manifest distribution among multiple clusters.

Providing content to managed clusters Support a primitive that enables resources to be applied to a managed cluster. Community, discussion, contributi

Open Cluster Management 21 Jul 25, 2022
ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it with target clusters.

ArgoCD Interlace ArgoCD is widely used for enabling CD GitOps. ArgoCD internally builds manifest from source data in Git repository, and auto-sync it

International Business Machines 49 Jul 26, 2022
Terraform provider for Slack's App Manifest API

Terraform Provider Scaffolding (Terraform Plugin SDK) This template repository is built on the Terraform Plugin SDK. The template repository built on

Matthew de la Rosa 0 Jan 9, 2022
A kubectl plugin for finding decoded secret data with productive search flags.

kubectl-secret-data What is it? This is a kubectl plugin for finding decoded secret data. Since kubectl only outputs base64-encoded secrets, it makes

Keisuke Umegaki 37 Jul 18, 2022
A 'kubectl' plugin for interacting with Clusternet.

kubectl-clusternet A kubectl plugin for interacting with Clusternet. Installation Install With Krew kubectl-clusternet can be installed using Krew, pl

Clusternet 11 May 27, 2022
A kubectl plugin for finding decoded secret data with productive search flags.

kubectl-secret-data What is it? This is a kubectl plugin for finding decoded secret data. Since kubectl outputs base64-encoded secrets basically, it m

Keisuke Umegaki 37 Jul 18, 2022
A kubectl plugin for getting endoflife information about your cluster.

kubectl-endoflife A kubectl plugin that checks your clusters for component compatibility and Kubernetes version end of life. This plugin is meant to a

Ross Edman 3 Jul 21, 2022
A kubectl plugin to evict pods

kubectl-evict A kubectl plugin to evict pods. This plugin is good to remove a pod from your cluster or to test your PodDistruptionBudget. ?? Installat

Shin'ya Ueoka 11 Jul 25, 2022
🦥 kubectl plugin to easy to view pod

kubectl-lazy Install curl -sSL https://mirror.ghproxy.com/https://raw.githubusercontent.com/togettoyou/kubectl-lazy/main/install.sh | bash Or you can

寻寻觅觅的Gopher 7 Jun 20, 2022
A kubectl plugin to query multiple namespace at the same time.

kubemulti A kubectl plugin to query multiple namespace at the same time. $ kubemulti get pods -n cdi -n default NAMESPACE NAME

R0CKSTAR 3 Mar 1, 2022