Skip to content

Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It provides signature-based assurance of integrity for resources on Kubernetes cluster.

License

Notifications You must be signed in to change notification settings

stolostron/integrity-shield

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Integrity Shield

Kubernetes resources are represented as YAML files, which are applied to clusters when you create and update the resource. The YAML content is designed carefully to achieve the application desired state and should not be tampered with. If the YAML content is modified maliciously or accidentally, and applied to a cluster without notice, the cluster moves to an unexpected state.

Integrity Shield provides preventive control for enforcing signature verification for any requests to create or update resources. Integrity Shield also provides continuous monitoring based on signature verification.

Scenario

Features

Phased approach

Two modes are selectively enabled on your cluster.

  • Enforce (Admission Control): Block to deploy unauthorized Kubernetes resources. Integrity Shield works with OPA/Gatekeeper to enable admission control based on signature verification for Kubernetes resources.
  • Inform (Continuous Monitoring): monitor Kubernetes resource integrity and report if unauthorized Kubernetes resources are deployed on cluster

Manifest signing

X509, PGP and Sigstore signing are supported for singing Kubernetes manifest YAML. K8s Integrity Shield supports Sigstore signing by using k8s-manifest-sigstore.

Easy installation

You can use Integrity Shield Operator to easily install the Integrity Shield on your cluster.

Architecture

Scenario

Integrity Shield consists of two main components, API and Observer. Integrity Shield Operator supports the installation and management of Integrity Shield components on cluster.

Integrity Shield API receives a k8s resource from OPA/Gatekeeper, validates the resource which is included in the admission request and sends the verification result to OPA/Gatekeeper. Integrity Shield API uses verify-resource feature of k8s-manifest-sigstore internally to verify k8s manifest.

Integrity Shield API validates resources according to ManifestIntegrityConstraint which is a custom resource based on constraint framework of OPA/Gatekeeper.

Integrity Shield Observer continuously verifies Kubernetes resource on cluster according ManifestIntegrityConstraint resources and exports the results to resources called ManifestIntegrityState. Integrity Shield Observer also uses k8s-manifest-sigstore to verify signature.

Installation

Prerequisite: Before installing Integrity Shield, OPA/Gatekeeper should be installed on the cluster.

  1. Install operator

This Operator will be installed in the "integrity-shield-operator-system" namespace. If you want to install another namespace, please check this document.

kubectl create -f https://raw.githubusercontent.com/stolostron/integrity-shield/master/integrity-shield-operator/deploy/integrity-shield-operator-latest.yaml
  1. Install Integrity Shield CR
kubectl create -f https://raw.githubusercontent.com/stolostron/integrity-shield/master/integrity-shield-operator/config/samples/apis_v1_integrityshield.yaml -n integrity-shield-operator-system

Tutorials

To get started with Integrity Shield, try out our getting started tutorial.

To start signing Kubernetes manifest, see this document.

Supported Versions

Platforms

Integrity Shield can be deployed with operator. We have verified the feasibility on the following platforms:

OPA/Gatekeeper

About

Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It provides signature-based assurance of integrity for resources on Kubernetes cluster.

Resources

License

Security policy

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Go 67.8%
  • Shell 23.0%
  • Makefile 7.5%
  • Dockerfile 1.7%