Skip to content
This repository has been archived by the owner on Nov 20, 2021. It is now read-only.

dlorenc/cosigned

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Cosigned

** THE CODE IN THIS REPO HAS BEEN MOVED TO THE OFFICIAL COSIGN REPO **

** THIS IS ARCHIVED **

A Kubernetes admission controller to verify images have been signed by cosign!

intro

Installation

Prereqs

Install

Run make deploy!

Don't forget to change Go module name
module github.com/dlorenc/cosigned --> module github.com/<your_github_name>/cosigned

$ export SECRET_KEY_REF=k8s://default/mysecret
$ envsubst \
    < config/manager/kustomization.template.yaml \
    > config/manager/kustomization.yaml
$ export PROJECT_ID=$(gcloud config get-value project)
$ export KO_DOCKER_REPO=gcr.io/$PROJECT_ID
$ export GITHUB_NAME="dlorenc"
$ IMG=ko://github.com/$GITHUB_NAME/cosigned make deploy

Usage

cosigned only watches namespaces with the label cosigned=true on them, so set that up:

NS=default
kubectl label ns $NS cosigned=true --overwrite

Grab a container and try to run it:

$ IMAGE=$KO_DOCKER_REPO/demo
$ crane cp --platform=linux/amd64 ubuntu $IMAGE
$ kubectl run -it unsigned --image=$IMAGE
Error from server (invalid signatures): admission webhook "cosigned.sigstore.dev" denied the request: invalid signatures

Sign a container:

$ cosign generate-key-pair $SECRET_KEY_REF
$ cosign sign -key $SECRET_KEY_REF $IMAGE
Enter password for private key:
Pushing signature to: gcr.io/dlorenc-vmtest2/cosigned:sha256-fb607a5a85c963d8efe8f07b5935861aea06748f2a740617f672c6f75a35552e.cosign

Now run it:

$ kubectl run -it signed --image=$IMAGE
If you don't see a command prompt, try pressing enter.
/ # 

Configuration

Cosigned uses a single Secret for configuration right now. Because cosign now supports to store pub/private key pair in Kubernetes secrets. There is one field called cosign.pub, which contains a PKIX-formatted public key to trust. All images must be signed by the key to run in the cluster.

Enforcement is opt-in at the namespace-level. Namespaces with the label cosigned=true will be enforced.

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published