-
Notifications
You must be signed in to change notification settings - Fork 784
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] allow kubernetes auth method for hashivault:// KMS in imageVerify #4274
Comments
agreed. useful. I do not see a viable way of having Vault as a KMS for Kyverno with having to set the token manually and restarting the pod. Tokens have a TTL of 30 days, I believe, in Vault. |
we (w/@Dentrax) just tested this Vault KMS with Kyverno and I can truly say that everything worked as we expected, yay! As a result, we are going to write a blog post to explain everything in detail, stay tuned 🙈 |
Can you give us a hint so we can add something to the documentation? |
Firstly, we have added two environment variables to the Then we created a image verification policy like the following: apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-image
spec:
validationFailureAction: Enforce
background: false
webhookTimeoutSeconds: 30
failurePolicy: Fail
rules:
- name: check-image
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- imageReferences:
- "*"
attestors:
- count: 1
entries:
- keys:
kms: hashivault://cosign The cosign sign --key hashivault://cosign <image> After we applied the policy above, we expected to verify the signature by Kyverno and all worked as we expected. We even tried key rotation to see how things would go. We simply rotated the key with which we signed container images then once again we signed container images with the new key, thanks to the PTAL @Dentrax |
I guess this is only a valid solution if you are using static tokens in vault. Utilizing the vault in k8s login as stated in the creation of the ticket would be a more desirable solution imo |
yes it might be but it requires development effort on both sides Kyverno and Sigstore to support that. |
do you want me to add these details to the doc @chipzoller? |
Since what you're doing isn't really what this issue describes, maybe just point to the Vault docs if they exist? |
It would be super helpful if we were able to use Vault's kubernetes auth with kyverno. |
I would add that using static Vault token goes against security best practices. Static Vault tokens are long-lived and are susceptible to theft, whereas Kubernetes auth method uses short-lived service account tokens (1 hour TTL by default). I strongly believe Kubernetes auth method should be implemented as a default one by Kyverno. |
Problem Statement
Kyverno allows to use hashivault:// keys for image verrification, but the vault token and vault addr must be set. Why not to use vault kubernetes authentication method (https://www.vaultproject.io/docs/auth/kubernetes)?
Solution Description
Kyverno runs inside Kubernetes, Vault supports Kubernetes authentication, why not connect this two features together for using Vault from Kyverno in imageVerify hashivault:// checks. Get short living vault token when needed using kubernetes authentication method and then use it for KMS.
Alternatives
No response
Additional Context
No response
Slack discussion
No response
Research
The text was updated successfully, but these errors were encountered: