[Feature] allow kubernetes auth method for hashivault:// KMS in imageVerify

[rubroboletus]

Problem Statement

Kyverno allows to use hashivault:// keys for image verrification, but the vault token and vault addr must be set. Why not to use vault kubernetes authentication method (https://www.vaultproject.io/docs/auth/kubernetes)?

Solution Description

Kyverno runs inside Kubernetes, Vault supports Kubernetes authentication, why not connect this two features together for using Vault from Kyverno in imageVerify hashivault:// checks. Get short living vault token when needed using kubernetes authentication method and then use it for KMS.

Alternatives

No response

Additional Context

No response

Slack discussion

No response

Research

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[jessequinn]

agreed. useful. I do not see a viable way of having Vault as a KMS for Kyverno with having to set the token manually and restarting the pod. Tokens have a TTL of 30 days, I believe, in Vault.

[developer-guy]

we (w/@Dentrax) just tested this Vault KMS with Kyverno and I can truly say that everything worked as we expected, yay! As a result, we are going to write a blog post to explain everything in detail, stay tuned 🙈

[chipzoller]

Can you give us a hint so we can add something to the documentation?

[developer-guy]

Firstly, we have added two environment variables to the kyverno-admission-controller: VAULT_ADDR and VAULT_TOKEN.

Then we created a image verification policy like the following:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image
spec:
  validationFailureAction: Enforce
  background: false
  webhookTimeoutSeconds: 30
  failurePolicy: Fail
  rules:
    - name: check-image
      match:
        any:
        - resources:
            kinds:
              - Pod
      verifyImages:
      - imageReferences:
        - "*"
        attestors:
        - count: 1
          entries:
          - keys:
              kms: hashivault://cosign

The cosign is the name of the key we used during the signing/verifying of the container images. Before then we already signed our container image with the following command:

cosign sign --key hashivault://cosign <image>

After we applied the policy above, we expected to verify the signature by Kyverno and all worked as we expected.

We even tried key rotation to see how things would go. We simply rotated the key with which we signed container images then once again we signed container images with the new key, thanks to the VAULT_KEY_PREFIX environment variable, we set it as vault:v2: to the deployment variables and everything worked as we expected again, the container images which we signed with the old key are failed but the ones we signed with the new key are passed.

PTAL @Dentrax

[Lerentis]

I guess this is only a valid solution if you are using static tokens in vault. Utilizing the vault in k8s login as stated in the creation of the ticket would be a more desirable solution imo

[developer-guy]

yes it might be but it requires development effort on both sides Kyverno and Sigstore to support that.

[developer-guy]

do you want me to add these details to the doc @chipzoller?

[chipzoller]

Since what you're doing isn't really what this issue describes, maybe just point to the Vault docs if they exist?

[ambis]

It would be super helpful if we were able to use Vault's kubernetes auth with kyverno.

[angapov]

I would add that using static Vault token goes against security best practices. Static Vault tokens are long-lived and are susceptible to theft, whereas Kubernetes auth method uses short-lived service account tokens (1 hour TTL by default). I strongly believe Kubernetes auth method should be implemented as a default one by Kyverno.