README
¶
cosign-provider
cosign-provider is used for validating whether images are signed with cosign.
This repo is meant for testing Gatekeeper external data feature. Do not use for production.
Installation
-
Deploy Gatekeeper with external data enabled (
--enable-external-data) -
kubectl apply -f manifest- Update
SECRET_NAMEenvironment variable
- Update
-
kubectl apply -f policy/provider.yaml- Update
proxyURLif it's nothttp://cosign-provider.default:8090
- Update
-
kubectl apply -f policy/template.yaml -
kubectl apply -f policy/constraint.yaml
Verification
-
kubectl apply -f policy/examples/signed.yaml- Request should be rejected
Error from server ([signed-image] Image gcr.io/google_containers/pause-amd64:3.0 does not contain a valid cosign signature): error when creating "policy/examples/unsigned.yaml": admission webhook "validation.gatekeeper.sh" denied the request: [signed-image] Image gcr.io/google_containers/pause-amd64:3.0 does not contain a valid cosign signature -
kubectl apply -f policy/examples/unsigned.yaml- Request should be allowed
deployment.apps/signed-deployment created
Credits
Cosign image verification is based on https://github.com/dlorenc/cosigned
Documentation
¶
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.