One-pager for Package Signing Validation Proposal#3297
One-pager for Package Signing Validation Proposal#3297jessesanford wants to merge 1 commit intocrossplane:masterfrom
Conversation
stevehipwell
left a comment
stevehipwell
left a comment
There was a problem hiding this comment.
@jessesanford I've added a couple of high level comments.
It's also worth pointing out the similarities between Crossplane & Helm in the context of consuming packages. This work looks to be closely aligned to helm/helm#11496 & helm/helm#10644.
| ## Goals | ||
|
|
||
| - Enable provenance validation of crossplane packages | ||
| - Allow the specification of a trusted public key to use for validation |
There was a problem hiding this comment.
Is it reasonable to assume that all components could be validated from a single public key? I'd argue that this should be a per-component configuration, potentially via a selector based policy.
Also is a public key the best MVP solution over a cosign keyless signature identity?
There was a problem hiding this comment.
Sorry for the delay. Lots of things happening since early November. I would agree that we should consider allowing for keyless. The keyless isn't much harder to do now. There is some prior art in this PR from @developer-guy on flux here: https://github.com/fluxcd/source-controller/pull/876/files
There was a problem hiding this comment.
@stevehipwell I believe that we can now do a per-package set of secrets for validation with #3552 let me know what you think.
| ``` | ||
| [Link]: https://github.com/crossplane/crossplane/blob/master/internal/controller/pkg/manager/revisioner_test.go#L113-L131 | ||
|
|
||
| ## Alternatives Considered |
There was a problem hiding this comment.
Could the stated goals be achieved with an external system such as OPA Gatekeeper or Kyverno? These external systems, where used, would be validating the OCI images in the deployments for providers.
There was a problem hiding this comment.
It might also be possible to utilise Flux's source-controller / OCIRepository in a similar way to what Pulumi are doing in their Kubernetes Operator.
See:
There was a problem hiding this comment.
"Could the stated goals be achieved with an external system such as OPA Gatekeeper or Kyverno? These external systems, where used, would be validating the OCI images in the deployments for providers."
Unfortunately, the image pull operations are done within the crossplane controller, and the image signature can't be verified until the image is pulled. So this all has to be evaluated after "admission". The same applies for config packages and provider packages.
There was a problem hiding this comment.
Could patterns not be defined for OPA Gatekeeper or Kyverno to validate the image references in the Crossplane resources?
There was a problem hiding this comment.
@stevehipwell yes I imagine that we could have them watch for the package install CRDs and deny them if they don't contain valid signature information, but how would we validate the signatures are correct? The evaluation of the signature can only be done once the image has been downloaded. That pull of the image is all internal to the crossplane controllers.
| ``` | ||
| [Link]: https://github.com/crossplane/crossplane/blob/b01b17353198a8de28664cf1eec601aaaf2fd95a/internal/xpkg/fetch.go#L119 | ||
|
|
||
| #### Prior Art For Validation: |
There was a problem hiding this comment.
The Kyverno image verifications documentation could offer some prior art for the configuration of the validation.
There was a problem hiding this comment.
The ClusterImagePolicies of sigstore policy-controller are also good reference for how we can surface control of which images to validate https://docs.sigstore.dev/policy-controller/overview/#configuring-policy-controller-clusterimagepolicy , however maybe it makes sense for this policy to be more crossplane centric? IE allowing the policy to be directed at all the fields of the crossplane pkg.crossplane.io/v1 crossplane group types? https://docs.crossplane.io/v1.9/concepts/packages/#installing-a-package
Signed-off-by: Jesse Sanford <jesse.sanford@autodesk.com>
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This pull request has been automatically marked as |
|
/fresh |
|
Crossplane does not currently have enough maintainers to address every issue and pull request. This pull request has been automatically marked as |
4 participants
Description of your changes
One Pager for Package Signature Validation
Addresses Issue #3048
Pull Request for implementation: #3552
I have:
make reviewableto ensure this PR is ready for review.backport release-x.ylabels to auto-backport this PR if necessary.How has this code been tested
NA