[Feature] Verify Image Policies in air gapped environment with TUF cache

[j1nka]

Problem Statement

Hi!

If I'm right Kyverno will always try to get up-to-date keys from TUF and so it needs Internet connection. It calls tuf.Initialize(), which always will try to update TUF because of true in initializeTUF().

This may not be the best option in aig-gapped environment, where clusters doesn't have direct access to the Internet.

Solution Description

TUF itself has another function - newFromEnv(), which will try to use local cache if present and it's not forcing TUF update (false in initializeTUF().

It's possible to add this cache data to Kyverno pods. For example:

1. We have workstation with internet access. We will download all necessary information, like remote.json, tuf.db, targets
2. We will add additional init-container for Kyverno pods which will poppulate data above to emptyDir through ConfigMaps (for example)
3. It works, and we don't need any direct Internet access from the cluster

Yes, there is another issue - we need to keep this data up-to-date, but it's still possible and not looks like tough task.

And there should be not so many code changes in Kyverno. Maybe we can add flag like useTufOffline (bool) and make something like this (in cmd\intenal\tuf.go):

if isTufOffline {
		if _, err = tuf.NewFromEnv(ctx); err != nil {
			checkError(logger, err, fmt.Sprintf("Failed to initialize TUF client from %s : %v", tufRoot, err))
		}
	} else {
		if err := tuf.Initialize(ctx, tufMirror, tufRootBytes); err != nil {
		 	checkError(logger, err, fmt.Sprintf("Failed to initialize TUF client from %s : %v", tufRoot, err))
		}
	}

What do you think about it? Or this idea is not good at all? Thanks!

Alternatives

No response

Additional Context

No response

Slack discussion

No response

Research

• I have read and followed the documentation AND the troubleshooting guide.
• I have searched other issues in this repository and mine is not recorded.

[welcome]

Thanks for opening your first issue here! Be sure to follow the issue template!

[vishal-chdhry]

Hi @j1nka

it needs Internet connection. It calls tuf.Initialize(), which always will try to update TUF because of true in initializeTUF().

We are only initialising TUF when the flag, enableTUF is set to true otherwise we will just return.

kyverno/cmd/internal/tuf.go

Lines 12 to 15 in adfa193

	func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
	if !enableTUF {
	return
	}

[j1nka]

Hi @j1nka

it needs Internet connection. It calls tuf.Initialize(), which always will try to update TUF because of true in initializeTUF().

We are only initialising TUF when the flag, enableTUF is set to true otherwise we will just return.

kyverno/cmd/internal/tuf.go

Lines 12 to 15 in adfa193

	func setupSigstoreTUF(ctx context.Context, logger logr.Logger) {
	if !enableTUF {
	return
	}

@vishal-chdhry Hi! Thanks for your reply!

Yes, it does. But it looks like that there are two options:

Option 1 - Without TUF initialization:

• When Kyverno trying to verify signature it also trying to download keys from the internet. Looks like it's not possible to run image verification in air gapped environments in this scenario

Option 2 - With TUF initialization:

• Kyverno will use keys, which are already present. In that case it's possible to run image verification in air gapped environments (current FR)

Maybe i'm wrong, but i have some tests which approved the above statetments. Trying to find more information in code :)

[vishal-chdhry]

When Kyverno trying to verify signature it also trying to download keys from the internet. Looks like it's not possible to run image verification in air gapped environments in this scenario

@j1nka You can use the rekor.pubKey and ctlog.pubkey to verify images without downloading keys from the internet

[j1nka]

When Kyverno trying to verify signature it also trying to download keys from the internet. Looks like it's not possible to run image verification in air gapped environments in this scenario

@j1nka You can use the rekor.pubKey and ctlog.pubkey to verify images without downloading keys from the internet

@vishal-chdhry thanks! you mean something like this:

        attestations:
          - predicateType: https://example.com/CodeReview/v1
            attestors:
            - entries:
              - keys:
                  ctlog:
                    pubkey: |-
                        -----BEGIN PUBLIC KEY-----
                        XXX
                        -----END PUBLIC KEY-----
                  publicKeys: |-
                    -----BEGIN PUBLIC KEY-----
                    XXX
                    -----END PUBLIC KEY-----
                  rekor:
                    pubkey: |-
                        -----BEGIN PUBLIC KEY-----
                        XXX
                        -----END PUBLIC KEY-----
  

?

[vishal-chdhry]

@j1nka Yes