policy-controller

module
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 11, 2022 License: Apache-2.0

README

Policy Controller

The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign.

policy-controller also resolves the image tags to ensure the image being ran is not different from when it was admitted.

See the installation instructions for more information.

Today, policy-controller can automatically validate signatures and attestations on container images. Enforcement is configured on a per-namespace basis, and multiple keys are supported.

We're actively working on more features here.

Enable policy-controller Admission Controller for Namespaces

The policy-controller admission controller will only validate resources in namespaces that have chosen to opt-in. This can be done by adding the label policy.sigstore.dev/include: "true" to the namespace resource.

kubectl label namespace my-secure-namespace policy.sigstore.dev/include=true
Admission of Images

An image is admitted after it has been validated against all ClusterImagePolicy that matched the digest of the image and that there was at least one valid signature or attestation obtained from the authorities provided in each of the matched ClusterImagePolicy. So each ClusterImagePolicy that matches is AND for admission, and within each ClusterImagePolicy authorities are OR.

See the Configuring Image Pattern for more information.

An example of an allowed admission would be:

  1. If the image matched against policy1 and policy3
  2. A valid signature or attestation was obtained for policy1 with at least one of the policy1 authorities
  3. A valid signature or attestation was obtained for policy3 with at least one of the policy3 authorities
  4. The image is admitted

An example of a denied admission would be:

  1. If the image matched against policy1 and policy2
  2. A valid signature or attestation was obtained for policy1 with at least one of the policy1 authorities
  3. No valid signature or attestation was obtained for policy2 with at least one of the policy2 authorities
  4. The image is not admitted

If an image does not match a policy, it will be admitted

Configuring policy-controller ClusterImagePolicy

policy-controller supports validation against multiple ClusterImagePolicy kubernetes resources.

A policy is enforced when an image pattern for the policy is matched against the image being deployed.

Configuring Image Patterns

The ClusterImagePolicy specifies spec.images which specifies a list of glob matching patterns. These matching patterns will be matched against the image digest of PodSpec resources attempting to be deployed.

Glob uses golang filepath semantics for matching the images against. Additionally you can specify a more traditional ** to match any number of characters. Furthermore to make it easier to specify images, there are few defaults when an image is matched, namely:

  • If there is no host in the glob pattern index.docker.io is used for the host. This allows users to specify commonly found images from Docker simply as myproject/nginx instead of inded.docker.io/myproject/nginx
  • If the image is specified without multiple path elements (so not separated by /), then library is defaulted. For example specifying busybox will result in library/busybox. And combined with above, will result in match being made against index.docker.io/library/busybox.

A sample of a ClusterImagePolicy which matches against all images using glob:

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: image-policy
spec:
  images:
  - glob: "**"
Configuring key Authorities

When a policy is selected to be evaluated against the matched image, the authorities will be used to validate signatures and attestations. If at least one authority is satisfied and a signature is validated, the policy is validated.

Authorities can be key specifications, for example:

spec:
  authorities:
    - key:
        data: |
          -----BEGIN PUBLIC KEY-----
          ...
          -----END PUBLIC KEY-----
    - key:
        secretRef:
          name: secretName
    - key:
        kms: KMSPATH

Each key authority can contain these properties:

  • key.data: specifies the plain text string of the public key
  • key.secretRef.name: specifies the secret location name in the same namespace where policy-controller is installed.
    The first key value will be used in the secret.
  • key.kms: specifies the location for the public key. Supported formats include:
    • azurekms://[VAULT_NAME][VAULT_URI]/[KEY]
    • awskms://[ENDPOINT]/{ARN} where ARN can be either key ARN or alias ARN.
    • gcpkms://projects/[PROJECT]/locations/global/keyRings/[KEYRING]/cryptoKeys/[KEY]
    • hashivault://[KEY]
Configuring keyless Authorities

When a policy is selected to be evaluated against the matched image, the authorities will be used to validate signatures. If at least one authority is satisfied and a signature is validated, the policy is validated.

Authorities can be keyless specifications. For example:

spec:
  authorities:
    - keyless:
        url: https://fulcio.example.com
        ca-cert:
          data: Certificate Data
    - keyless:
        url: https://fulcio.example.com
        ca-cert:
          secretRef:
            name: secretName
    - keyless:
        identities:
          - issuer: https://accounts.google.com
            subjectRegExp: .*@example.com
          - issuer: https://token.actions.githubusercontent.com
            subject: https://github.com/sigstore/policy-controller/.github/workflows/build.yaml@refs/heads/main

Each keyless authority can contain these properties:

  • keyless.url: specifies the Fulcio url
  • keyless.ca-cert: specifies ca-cert information for the keyless authority
    • secretRef.name: specifies the secret location name in the same namespace where policy-controller is installed.
      The first key value will be used in the secret for the ca-cert.
    • data: specifies the inline certificate data
  • keyless.identities: Identity may contain an array of issuer and/or the subject found in the transparency log. Either field supports a regex.
    • issuer: specifies the issuer found in the transparency log. Exact match is required.
    • subject: specifies the subject found in the transparency log. Exact match is required.
    • issuerRegExp: specifies the issuer found in the transparency log. Regex patterns are supported. Regex patterns are supported.
    • subjectRegExp: specifies the subject found in the transparency log. Regex patterns are supported. Regex patterns are supported.
Configuring Remote Signature Location

If signatures are located in a different repository, it can be specified along with the key or keyless definition. When no source is specified for the key, the expectation is that the signature is colocated with the image.

Note: By default, credentials used for the remote source repository are the ones provided in the PodSpec providing resource under imagePullSecrets.

To define a source, under the corresponding authorities node, source can be specified.

A sample of source specification for key and keyless:

spec:
  authorities:
    - key:
        data: |
          -----BEGIN PUBLIC KEY-----
          ...
          -----END PUBLIC KEY-----
      source:
        - oci: registry.example.com/project/signature-location
    - keyless:
        url: https://fulcio.example.com
      source:
        - oci: registry.example.com/project/signature-location
Configure SignaturePullSecrets

If the signatures / attestations are in a different repo or they use different PullSecrets, you can configure source to point to a secret which must live in the same namespace as policy-controller webhook (by default cosign-system).

spec:
  authorities:
    - key:
        data: |
          -----BEGIN PUBLIC KEY-----
          ...
          -----END PUBLIC KEY-----
      source:
        - oci: registry.example.com/project/signature-location
    - keyless:
        url: https://fulcio.example.com
      source:
        - oci: registry.example.com/project/signature-location
          signaturePullSecrets:
          - name: mysecret

Note: The secret has to be in the format type: dockerconfigjson.

Configuring Transparency Log

TLog specifies the URL to a transparency log that holds signature and public key information.

When tlog key is not specified, the public rekor instance will be used.

spec:
  authorities:
    - keyless:
        url: https://fulcio.example.com
      tlog:
        url: https://rekor.example.com
Configuring policy that validates attestations

Just like with cosign CLI you can verify attestations (using verify-attestation), you can configure policies to validate that a particular attestation was signed by a trusted authority. You do this by using attestations array within an authorities section. For example, to configure that a custom predicate has to exist and is attested by the specified issuer and subject, and the actual Data section of the predicate matches the string foobar e2e test:

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: image-policy-keyless-with-attestations
spec:
  images:
  - glob: registry.local:5000/policy-controller/demo*
  authorities:
  - name: verify custom attestation
    keyless:
      url: http://fulcio.fulcio-system.svc
      identities:
      - issuerRegExp: .*kubernetes.default.*
        subjectRegExp: .*kubernetes.io/namespaces/default/serviceaccounts/default
    ctlog:
      url: http://rekor.rekor-system.svc
    attestations:
    - name: custom-match-predicate
      predicateType: custom
      policy:
        type: cue
        data: |
          predicateType: "cosign.sigstore.dev/attestation/v1"
          predicate: Data: "foobar e2e test"

policy is optional and if left out, only the existence of the attestation is verified.

Configuring policy at the ClusterImagePolicy level.

As discussed earlier, by specifying multiple ClusterImagePolicy creates an AND clause so that each ClusterImagePolicy must be satisfied for an admission, and having multiple authorities creates an OR clause so that any matching authority is considered a success, sometimes you may want more flexibility, for example, if you wanted to specify that at least 2 out of N signatures match, and for those you can create a single ClusterImagePolicy but craft a policy that then gets applied after a ClusterImagePolicy has been validated. Here's a bit more complex example that ties all the bits from above together. It requires there to be two attestations custom and vuln and also two signatures, one signed with a key and one keyless signature

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: image-policy-requires-two-signatures-two-attestations
spec:
  images:
  - glob: registry.local:5000/policy-controller/demo*
  authorities:
  - name: keylessatt
    keyless:
      url: http://fulcio.fulcio-system.svc
    ctlog:
      url: http://rekor.rekor-system.svc
    attestations:
    - predicateType: custom
      name: customkeyless
      policy:
        type: cue
        data: |
          import "time"
          before: time.Parse(time.RFC3339, "2049-10-09T17:10:27Z")
          predicateType: "cosign.sigstore.dev/attestation/v1"
          predicate: {
            Data: "foobar e2e test"
            Timestamp: <before
          }
    - predicateType: vuln
      name: vulnkeyless
      policy:
        type: cue
        data: |
          import "time"
          before: time.Parse(time.RFC3339, "2022-04-15T17:10:27Z")
          after: time.Parse(time.RFC3339, "2022-03-09T17:10:27Z")
          predicateType: "cosign.sigstore.dev/attestation/vuln/v1"
          predicate: {
            invocation: {
              uri: "invocation.example.com/cosign-testing"
            }
            scanner: {
              uri: "fakescanner.example.com/cosign-testing"
            }
            metadata: {
              scanStartedOn: <before
              scanStartedOn: >after
              scanFinishedOn: <before
              scanFinishedOn: >after
            }
          }
  - name: keyatt
    key:
      data: |
        -----BEGIN PUBLIC KEY-----
        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOz9FcbJM/oOkC26Wfo9paG2tYGBL
        usDLHze93DzgLaAPDsyJrygpVnL9M6SOyfyXEsjpBTUu6uFZqHua8hwAlA==
        -----END PUBLIC KEY-----
    ctlog:
      url: http://rekor.rekor-system.svc
    attestations:
    - name: custom-match-predicate
      predicateType: custom
      policy:
        type: cue
        data: |
          predicateType: "cosign.sigstore.dev/attestation/v1"
          predicate: Data: "foobar key e2e test"
  - name: keylesssignature
    keyless:
      url: http://fulcio.fulcio-system.svc
    ctlog:
      url: http://rekor.rekor-system.svc
  - name: keysignature
    key:
      data: |
        -----BEGIN PUBLIC KEY-----
        MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEOz9FcbJM/oOkC26Wfo9paG2tYGBL
        usDLHze93DzgLaAPDsyJrygpVnL9M6SOyfyXEsjpBTUu6uFZqHua8hwAlA==
        -----END PUBLIC KEY-----
    ctlog:
      url: http://rekor.rekor-system.svc
  policy:
    type: cue
    data: |
      package sigstore
      import "struct"
      import "list"
      authorityMatches: {
        keyatt: {
          attestations: struct.MaxFields(1) & struct.MinFields(1)
        },
        keysignature: {
          signatures: list.MaxItems(1) & list.MinItems(1)
        },
        if (len(authorityMatches.keylessatt.attestations) < 2) {
          keylessattMinAttestations: 2
          keylessattMinAttestations: "Error"
        },
        keylesssignature: {
          signatures: list.MaxItems(1) & list.MinItems(1)
        }
      }

Examples

Please see the examples/ directory for example policies etc.

Policy Testing

This repo includes a policy-tester tool which enables checking a policy against various images.

In the root of this repo, run the following to build:

make policy-tester

Then run it pointing to a YAML file containing a ClusterImagePolicy, and an image to evaluate the policy against:

(set -o pipefail && \
    ./policy-tester \
        --policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \
        --image=ghcr.io/sigstore/cosign/cosign:v1.9.0 | jq)

Support Policy

This policy-controller's versions are able to run in the following versions of Kubernetes:

policy-controller > 0.2.x
Kubernetes 1.22
Kubernetes 1.23
Kubernetes 1.24
Kubernetes 1.25 (✓) *

note: not fully tested yet, but can be installed

Release Cadence

We are intending to move to a monthly cadence for minor releases. Minor releases will be published around the beginning of the month. We may cut a patch release instead, if the changes are small enough not to warrant a minor release. We will also cut patch releases periodically as needed to address bugs.

Security

Should you discover any security issues, please refer to sigstores security process

Directories

Path Synopsis
cmd
Package config is a placeholder that allows us to pull in config files via go mod vendor.
Package config is a placeholder that allows us to pull in config files via go mod vendor.
pkg
apis/config
Package config holds the typed objects that define the schemas for ConfigMap objects that pertain to our API objects.
Package config holds the typed objects that define the schemas for ConfigMap objects that pertain to our API objects.
apis/policy/v1alpha1
+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev
+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev
apis/policy/v1beta1
+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev
+k8s:deepcopy-gen=package +groupName=policy.sigstore.dev
client/clientset/versioned
This package has the automatically generated clientset.
This package has the automatically generated clientset.
client/clientset/versioned/fake
This package has the automatically generated fake clientset.
This package has the automatically generated fake clientset.
client/clientset/versioned/scheme
This package contains the scheme of the automatically generated clientset.
This package contains the scheme of the automatically generated clientset.
client/clientset/versioned/typed/duck/v1beta1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/duck/v1beta1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/policy/v1alpha1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/policy/v1alpha1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
client/clientset/versioned/typed/policy/v1beta1
This package has the automatically generated typed clients.
This package has the automatically generated typed clients.
client/clientset/versioned/typed/policy/v1beta1/fake
Package fake has the automatically generated clients.
Package fake has the automatically generated clients.
third_party
VENDOR-LICENSE/github.com/hashicorp/errwrap
Package errwrap implements methods to formalize error wrapping in Go.
Package errwrap implements methods to formalize error wrapping in Go.
VENDOR-LICENSE/github.com/hashicorp/go-cleanhttp
Package cleanhttp offers convenience utilities for acquiring "clean" http.Transport and http.Client structs.
Package cleanhttp offers convenience utilities for acquiring "clean" http.Transport and http.Client structs.
VENDOR-LICENSE/github.com/hashicorp/go-plugin
The plugin package exposes functions and helpers for communicating to plugins which are implemented as standalone binary applications.
The plugin package exposes functions and helpers for communicating to plugins which are implemented as standalone binary applications.
VENDOR-LICENSE/github.com/hashicorp/go-retryablehttp
Package retryablehttp provides a familiar HTTP client interface with automatic retries and exponential backoff.
Package retryablehttp provides a familiar HTTP client interface with automatic retries and exponential backoff.
VENDOR-LICENSE/github.com/hashicorp/go-rootcerts
Package rootcerts contains functions to aid in loading CA certificates for TLS connections.
Package rootcerts contains functions to aid in loading CA certificates for TLS connections.
VENDOR-LICENSE/github.com/hashicorp/go-sockaddr
Package sockaddr is a Go implementation of the UNIX socket family data types and related helper functions.
Package sockaddr is a Go implementation of the UNIX socket family data types and related helper functions.
VENDOR-LICENSE/github.com/hashicorp/golang-lru
Package lru provides three different LRU caches of varying sophistication.
Package lru provides three different LRU caches of varying sophistication.
VENDOR-LICENSE/github.com/hashicorp/hcl
Package hcl decodes HCL into usable Go structures.
Package hcl decodes HCL into usable Go structures.
VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/ast
Package ast declares the types used to represent syntax trees for HCL (HashiCorp Configuration Language)
Package ast declares the types used to represent syntax trees for HCL (HashiCorp Configuration Language)
VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/parser
Package parser implements a parser for HCL (HashiCorp Configuration Language)
Package parser implements a parser for HCL (HashiCorp Configuration Language)
VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/printer
Package printer implements printing of AST nodes to HCL format.
Package printer implements printing of AST nodes to HCL format.
VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/scanner
Package scanner implements a scanner for HCL (HashiCorp Configuration Language) source text.
Package scanner implements a scanner for HCL (HashiCorp Configuration Language) source text.
VENDOR-LICENSE/github.com/hashicorp/hcl/hcl/token
Package token defines constants representing the lexical tokens for HCL (HashiCorp Configuration Language)
Package token defines constants representing the lexical tokens for HCL (HashiCorp Configuration Language)
VENDOR-LICENSE/github.com/hashicorp/vault/sdk/helper/certutil
Package certutil contains helper functions that are mostly used with the PKI backend but can be generally useful.
Package certutil contains helper functions that are mostly used with the PKI backend but can be generally useful.
VENDOR-LICENSE/github.com/hashicorp/vault/sdk/helper/strutil
DEPRECATED: this has been moved to go-secure-stdlib and will be removed
DEPRECATED: this has been moved to go-secure-stdlib and will be removed
VENDOR-LICENSE/github.com/letsencrypt/boulder/errors
Package errors provides internal-facing error types for use in Boulder.
Package errors provides internal-facing error types for use in Boulder.
VENDOR-LICENSE/github.com/letsencrypt/boulder/identifier
The identifier package defines types for RFC 8555 ACME identifiers.
The identifier package defines types for RFC 8555 ACME identifiers.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL