feat: Add manifests for attestation verification using notary (#990)

* feat: add manifests Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * feat: add image info Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> * fix: add review changes from Chip Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com> --------- Signed-off-by: Vishal Choudhary <sendtovishalchoudhary@gmail.com>
kyverno · Oct 26, 2023 · d05766b · d05766b
1 parent 5dad325
commit d05766b
Showing 1 changed file with 88 additions and 1 deletion.
diff --git a/content/en/docs/Writing policies/verify-images/notary/_index.md b/content/en/docs/Writing policies/verify-images/notary/_index.md
@@ -140,4 +140,91 @@ You can manage public keys and certificates as external data in a ConfigMap. See
 
 ## Verifying Image Attestations
 
-Kyverno does not support verifying attestations signed by Notary. This feature is being implemented and scheduled for the [next minor release](https://github.com/kyverno/kyverno/milestones?direction=asc&sort=due_date&state=open).
+Consider the following image: `ghcr.io/kyverno/test-verify-image:signed`
+
+```
+ghcr.io/kyverno/test-verify-image:signed
+├── application/vnd.cncf.notary.signature
+│  └── sha256:7f870420d92765b42cec0f71ee8e25bf39b692f64d95d6f6607e9e6e54300265
+├── vulnerability-scan
+│  └── sha256:f89cb7a0748c63a674d157ca84d725ff3ac09cc2d4aee9d0ec4315e0fe92a5fd
+│  └── application/vnd.cncf.notary.signature
+│  └── sha256:ec45844601244aa08ac750f44def3fd48ddacb736d26b83dde9f5d8ac646c2f3
+└── sbom/cyclone-dx
+  └── sha256:8cad9bd6de426683424a204697dd48b55abcd6bb6b4930ad9d8ade99ae165414
+  └── application/vnd.cncf.notary.signature
+  └── sha256:61f3e42f017b72f4277c78a7a42ff2ad8f872811324cd984830dfaeb4030c322
+```
+
+This image has:
+
+1. A notary signature.
+2. A vulnerability scan report, signed using notary.
+3. A CycloneDX SBOM, signed using notary.
+This policy checks the signature in the repo `ghcr.io/kyverno/test-verify-image` and ensures that it has been signed by verifying its signature against the provided certificates:
+
+```yaml
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: check-image-attestation
+spec:
+  validationFailureAction: Enforce
+  webhookTimeoutSeconds: 30
+  failurePolicy: Fail  
+  rules:
+    - name: verify-attestation-notary
+      match:
+        any:
+        - resources:
+            kinds:
+              - Pod
+      context:
+      - name: keys
+        configMap:
+          name: keys
+          namespace: kyverno
+      verifyImages:
+      - type: Notary
+        imageReferences:
+          - "ghcr.io/kyverno/test-verify-image*"
+        attestations:
+          - type: sbom/cyclone-dx
+            attestors:
+            - entries:
+              - certificates: 
+                  cert: |-
+                    -----BEGIN CERTIFICATE-----
+                    MIIDTTCCAjWgAwIBAgIJAPI+zAzn4s0xMA0GCSqGSIb3DQEBCwUAMEwxCzAJBgNV
+                    BAYTAlVTMQswCQYDVQQIDAJXQTEQMA4GA1UEBwwHU2VhdHRsZTEPMA0GA1UECgwG
+                    Tm90YXJ5MQ0wCwYDVQQDDAR0ZXN0MB4XDTIzMDUyMjIxMTUxOFoXDTMzMDUxOTIx
+                    MTUxOFowTDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAldBMRAwDgYDVQQHDAdTZWF0
+                    dGxlMQ8wDQYDVQQKDAZOb3RhcnkxDTALBgNVBAMMBHRlc3QwggEiMA0GCSqGSIb3
+                    DQEBAQUAA4IBDwAwggEKAoIBAQDNhTwv+QMk7jEHufFfIFlBjn2NiJaYPgL4eBS+
+                    b+o37ve5Zn9nzRppV6kGsa161r9s2KkLXmJrojNy6vo9a6g6RtZ3F6xKiWLUmbAL
+                    hVTCfYw/2n7xNlVMjyyUpE+7e193PF8HfQrfDFxe2JnX5LHtGe+X9vdvo2l41R6m
+                    Iia04DvpMdG4+da2tKPzXIuLUz/FDb6IODO3+qsqQLwEKmmUee+KX+3yw8I6G1y0
+                    Vp0mnHfsfutlHeG8gazCDlzEsuD4QJ9BKeRf2Vrb0ywqNLkGCbcCWF2H5Q80Iq/f
+                    ETVO9z88R7WheVdEjUB8UrY7ZMLdADM14IPhY2Y+tLaSzEVZAgMBAAGjMjAwMAkG
+                    A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgeAMBMGA1UdJQQMMAoGCCsGAQUFBwMDMA0G
+                    CSqGSIb3DQEBCwUAA4IBAQBX7x4Ucre8AIUmXZ5PUK/zUBVOrZZzR1YE8w86J4X9
+                    kYeTtlijf9i2LTZMfGuG0dEVFN4ae3CCpBst+ilhIndnoxTyzP+sNy4RCRQ2Y/k8
+                    Zq235KIh7uucq96PL0qsF9s2RpTKXxyOGdtp9+HO0Ty5txJE2txtLDUIVPK5WNDF
+                    ByCEQNhtHgN6V20b8KU2oLBZ9vyB8V010dQz0NRTDLhkcvJig00535/LUylECYAJ
+                    5/jn6XKt6UYCQJbVNzBg/YPGc1RF4xdsGVDBben/JXpeGEmkdmXPILTKd9tZ5TC0
+                    uOKpF5rWAruB5PCIrquamOejpXV9aQA/K2JQDuc0mcKz
+                    -----END CERTIFICATE-----
+            conditions:
+            - all:
+              - key: "{{ components[].licenses[].expression }}"
+                operator: AllIn
+                value: ["GPL-3.0"]
+
+```
+
+After this policy is applied, Kyverno will verify the signature on the sbom/cyclone-dx attestation and check if the license version of all the components in the SBOM is `GPL-3.0`.
+
+```sh
+kubectl run test --image=ghcr.io/kyverno/test-verify-image:signed --dry-run=server
+pod/test created (server dry run)
+```