Merge pull request #624 from ooq/fix-signer-tutorial

Update signer tutorials

docs/signer.md

@@ -218,10 +218,10 @@ First we need to pick a GCP project and enable those services within the project
 
 6. Create vulnerability signing policy.
 
-    An example policy is in the samples.
+    We have two example policies, `policy-strict.yaml` and `policy-loose.yaml`. They differ in that `policy-loose.yaml` has higher severity thresholds.
 
     ```shell
-    cat samples/signer/policy.yaml
+    cat samples/signer/policy-strict.yaml
 
     apiVersion: kritis.grafeas.io/v1beta1
     kind: VulnzSigningPolicy
@@ -233,33 +233,44 @@ First we need to pick a GCP project and enable those services within the project
         maximumUnfixableSeverity: MEDIUM
         allowlistCVEs:
         - projects/goog-vulnz/notes/CVE-2020-10543
-        - projects/goog-vulnz/notes/CVE-2020-10878
-        - projects/goog-vulnz/notes/CVE-2020-14155
+
+    cat samples/signer/policy-loose.yaml
+
+    apiVersion: kritis.grafeas.io/v1beta1
+    kind: VulnzSigningPolicy
+    metadata:
+      name: my-vsp
+    spec:
+      imageVulnerabilityRequirements:
+        maximumFixableSeverity: CRITICAL
+        maximumUnfixableSeverity: CRITICAL
+        allowlistCVEs:
+        - projects/goog-vulnz/notes/CVE-2020-10543
     ```
 
 7. Run signer on a built image (pass example).
 
-    1. Build and push an example good image.
+    1. Build and push an example image.
 
         ```shell
-        docker build -t gcr.io/$PROJECT_ID/signer-test:good -f samples/signer/Dockerfile.good .
-        docker push gcr.io/$PROJECT_ID/signer-test:good
+        docker build -t gcr.io/$PROJECT_ID/signer-test:example -f samples/signer/Dockerfile .
+        docker push gcr.io/$PROJECT_ID/signer-test:example
         ```
 
     2. Note down the image digest url.
 
         ```shell
-        export GOOD_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:good --format '{{index .RepoDigests 0}}')
+        export EXAMPLE_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:example --format '{{index .RepoDigests 0}}')
         ```
 
-    3. Run the signer.
+    3. Run the signer with a loose policy.
 
         ```shell
         ./signer \
           -v=10 \
           -alsologtostderr \
-          -image=$GOOD_IMG_URL \
-          -policy=samples/signer/policy.yaml \
+          -image=$EXAMPLE_IMG_URL \
+          -policy=samples/signer/policy-loose.yaml \
           -kms_key_name=$KMS_KEY_NAME \
           -kms_digest_alg=$KMS_DIGEST_ALG \
           -note_name=$NOTE_NAME
@@ -276,44 +287,44 @@ First we need to pick a GCP project and enable those services within the project
           -mode=check-only \
           -v=10 \
           -alsologtostderr \
-          -image=$GOOD_IMG_URL \
-          -policy=samples/signer/policy.yaml \
+          -image=$EXAMPLE_IMG_URL \
+          -policy=samples/signer/policy-loose.yaml \
         ```
 
         ```shell
         ./signer \
           -mode=bypass-and-sign \
           -v=10 \
           -alsologtostderr \
-          -image=$GOOD_IMG_URL \
+          -image=$EXAMPLE_IMG_URL \
           -kms_key_name=$KMS_KEY_NAME \
           -kms_digest_alg=$KMS_DIGEST_ALG \
           -note_name=$NOTE_NAME
         ```
 
 8. Run signer on a built image (fail example).
 
-    1. Build and push an example good image.
+    1. Build and push an example image (skippable if image from Step.7 is not deleted).
 
         ```shell
-        docker build -t gcr.io/$PROJECT_ID/signer-test:bad -f samples/signer/Dockerfile.bad .
-        docker push gcr.io/$PROJECT_ID/signer-test:bad
+        docker build -t gcr.io/$PROJECT_ID/signer-test:example -f samples/signer/Dockerfile .
+        docker push gcr.io/$PROJECT_ID/signer-test:example
         ```
 
     2. Note down the image digest url.
 
         ```shell
-        export BAD_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:bad --format '{{index .RepoDigests 0}}')
+        export EXAMPLE_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:example --format '{{index .RepoDigests 0}}')
         ```
 
-    3. Run the signer.
+    3. Run the signer with a strict policy.
 
         ```shell
         ./signer \
           -v=10 \
           -alsologtostderr \
-          -image=$BAD_IMG_URL \
-          -policy=samples/signer/policy.yaml \
+          -image=$EXAMPLE_IMG_URL \
+          -policy=samples/signer/policy-strict.yaml \
           -kms_key_name=$KMS_KEY_NAME \
           -kms_digest_alg=$KMS_DIGEST_ALG \
           -note_name=$NOTE_NAME
@@ -330,20 +341,20 @@ First we need to pick a GCP project and enable those services within the project
           -mode=check-only \
           -v=10 \
           -alsologtostderr \
-          -image=$BAD_IMG_URL \
-          -policy=samples/signer/policy.yaml \
+          -image=$EXAMPLE_IMG_URL \
+          -policy=samples/signer/policy-strict.yaml \
         ```
 
         ```shell
         ./signer \
           -mode=bypass-and-sign \
           -v=10 \
           -alsologtostderr \
-          -image=$BAD_IMG_URL \
+          -image=$EXAMPLE_IMG_URL \
           -kms_key_name=$KMS_KEY_NAME \
           -kms_digest_alg=$KMS_DIGEST_ALG \
           -note_name=$NOTE_NAME
         ```
 
-        With `bypass-and-sign` mode, an attestation will also be created for the bad image.
+        With `bypass-and-sign` mode, an attestation will still be created for the image.
 

samples/policy-check/cloudbuild-bad.yaml

@@ -1,13 +1,13 @@
 # Cloudbuild pipeline for a build with an image
-# that passes the vuln policy
+# that does not pass the vuln policy
 steps:
-  # Build a 'bad' image
+  # Build a test image
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
     args:
       - -c
       - |
-        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.bad .
+        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
     id: build
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
@@ -27,7 +27,7 @@ steps:
       -v=10 \
       -alsologtostderr \
       -image=$(/bin/cat image-digest.txt) \
-      -policy=policy.yaml \
+      -policy=policy-strict.yaml \
       -mode=check-only
     waitFor: push
     id: vulnsign

samples/policy-check/cloudbuild-good.yaml

@@ -1,13 +1,13 @@
 # Cloudbuild pipeline for a build with an image
 # that passes the vuln policy
 steps:
-  # Build a 'good' image
+  # Build a test image
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
     args:
       - -c
       - |
-        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.good .
+        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
     id: build
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
@@ -27,7 +27,7 @@ steps:
       -v=10 \
       -alsologtostderr \
       -image=$(/bin/cat image-digest.txt) \
-      -policy=policy.yaml \
+      -policy=policy-loose.yaml \
       -mode=check-only
     waitFor: push
     id: vulnsign

samples/policy-check/policy-loose.yaml

@@ -0,0 +1,10 @@
+apiVersion: kritis.grafeas.io/v1beta1
+kind: VulnzSigningPolicy
+metadata:
+  name: my-vsp
+spec:
+  imageVulnerabilityRequirements:
+    maximumFixableSeverity: CRITICAL
+    maximumUnfixableSeverity: CRITICAL
+    allowlistCVEs:
+    - projects/goog-vulnz/notes/CVE-2021-20305

samples/policy-check/policy-strict.yaml

@@ -0,0 +1,10 @@
+apiVersion: kritis.grafeas.io/v1beta1
+kind: VulnzSigningPolicy
+metadata:
+  name: my-vsp
+spec:
+  imageVulnerabilityRequirements:
+    maximumFixableSeverity: MEDIUM
+    maximumUnfixableSeverity: MEDIUM
+    allowlistCVEs:
+    - projects/goog-vulnz/notes/CVE-2021-20305

samples/signer/cloudbuild-bad.yaml

@@ -1,13 +1,13 @@
 # Cloudbuild pipeline for a build with an image
-# that passes the vuln policy
+# that does not pass the vuln policy
 steps:
-  # Build a 'bad' image
+  # Build a test image
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
     args:
       - -c
       - |
-        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.bad .
+        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
     id: build
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
@@ -27,7 +27,7 @@ steps:
       -v=10 \
       -alsologtostderr \
       -image=$(/bin/cat image-digest.txt) \
-      -policy=policy.yaml \
+      -policy=policy-strict.yaml \
       -kms_key_name=${_KMS_KEY_NAME} \
       -kms_digest_alg=${_KMS_DIGEST_ALG} \
       -note_name=${_NOTE_NAME}

samples/signer/cloudbuild-good.yaml

@@ -1,13 +1,13 @@
 # Cloudbuild pipeline for a build with an image
 # that passes the vuln policy
 steps:
-  # Build a 'good' image
+  # Build a test image
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
     args:
       - -c
       - |
-        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.good .
+        docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
     id: build
   - name: gcr.io/cloud-builders/docker
     entrypoint: /bin/bash
@@ -27,7 +27,7 @@ steps:
       -v=10 \
       -alsologtostderr \
       -image=$(/bin/cat image-digest.txt) \
-      -policy=policy.yaml \
+      -policy=policy-loose.yaml \
       -kms_key_name=${_KMS_KEY_NAME} \
       -kms_digest_alg=${_KMS_DIGEST_ALG} \
       -note_name=${_NOTE_NAME}

samples/signer/policy-loose.yaml

@@ -0,0 +1,10 @@
+apiVersion: kritis.grafeas.io/v1beta1
+kind: VulnzSigningPolicy
+metadata:
+  name: my-vsp
+spec:
+  imageVulnerabilityRequirements:
+    maximumFixableSeverity: CRITICAL
+    maximumUnfixableSeverity: CRITICAL
+    allowlistCVEs:
+    - projects/goog-vulnz/notes/CVE-2021-20305

samples/signer/policy-strict.yaml

@@ -0,0 +1,10 @@
+apiVersion: kritis.grafeas.io/v1beta1
+kind: VulnzSigningPolicy
+metadata:
+  name: my-vsp
+spec:
+  imageVulnerabilityRequirements:
+    maximumFixableSeverity: MEDIUM
+    maximumUnfixableSeverity: MEDIUM
+    allowlistCVEs:
+    - projects/goog-vulnz/notes/CVE-2021-20305