support for redhat simple signature verification#84
Merged
molepigeon merged 21 commits intomasterfrom Mar 26, 2020
Merged
Conversation
molepigeon
reviewed
Mar 4, 2020
Member
Author
|
I think this represents a reasonable initial release of support for RedHat simple signatures with follow on issues to make incremental improvements, e.g. we should have a README to describe the policy options for simple. |
molepigeon
requested changes
Mar 26, 2020
README.md
Outdated
| ## How it works | ||
|
|
||
| Portieris uses a Kubernetes Mutating Admission Webhook to modify your Kubernetes resources at the point of creation, to ensure that Kubernetes pulls the signed version. When configured to do so, it enforces trust pinning, and blocks the creation of resources that use untrusted images. | ||
| Portieris uses a Kubernetes Mutating Admission Webhook to modify your Kubernetes resources at the point of creation, to ensure that Kubernetes runs only policy compliant images. When configured to do so, it can enforce Docker Content Trust with optional trust pinning, or can verify signatures created using RedHat's simple signing model and will prevent the creation of resources using untrused or unverified images. |
README.md
Outdated
| When you create or edit a workload, the Kubernetes API server sends a request to Portieris. The AdmissionRequest contains the content of your workload. For each image in your workload, Portieris finds a matching security policy. | ||
| If trust enforcement is enabled in the policy, Portieris pulls signature information for your image from the corresponding Notary server and, if a signed version of the image exists, creates a JSON patch to edit the image name in the workload to the signed image by digest. If a signer is defined in the policy, Portieris additionally checks that the image is signed by the specified role, and verifies that the specified key was used to sign the image. | ||
| If simple signing is specified by the policy, Portieris will verify the signature using using the public key and identity rules supplied in the policy and if verified similarly mutates the image name to a digest referencee to ensure that concurrent tag changes cannot influence the image being puuled. | ||
| While it is possible to require both DCT and Simple signing, alternatives are *not* allowed, if both are required conflicting digests will cause the image to be denied. |
Member
There was a problem hiding this comment.
Did you want to put each of these sentences on their own line? If so, you need to put another newline between them - at the moment this renders to one block of text as before.
README.md
Outdated
| When you create or edit a workload, the Kubernetes API server sends a request to Portieris. The AdmissionRequest contains the content of your workload. For each image in your workload, Portieris finds a matching security policy. If trust enforcement is enabled in your policy, Portieris pulls signature information for your image from the corresponding Notary server and, if a signed version of the image exists, creates a JSON patch to edit the image name in the workload to the signed image by digest. If a signer is defined in the policy, Portieris additionally checks that the image is signed by the specified role, and verifies that the specified key was used to sign the image. | ||
| When you create or edit a workload, the Kubernetes API server sends a request to Portieris. The AdmissionRequest contains the content of your workload. For each image in your workload, Portieris finds a matching security policy. | ||
| If trust enforcement is enabled in the policy, Portieris pulls signature information for your image from the corresponding Notary server and, if a signed version of the image exists, creates a JSON patch to edit the image name in the workload to the signed image by digest. If a signer is defined in the policy, Portieris additionally checks that the image is signed by the specified role, and verifies that the specified key was used to sign the image. | ||
| If simple signing is specified by the policy, Portieris will verify the signature using using the public key and identity rules supplied in the policy and if verified similarly mutates the image name to a digest referencee to ensure that concurrent tag changes cannot influence the image being puuled. |
README.md
Outdated
| When you create or edit a workload, the Kubernetes API server sends a request to Portieris. The AdmissionRequest contains the content of your workload. For each image in your workload, Portieris finds a matching security policy. | ||
| If trust enforcement is enabled in the policy, Portieris pulls signature information for your image from the corresponding Notary server and, if a signed version of the image exists, creates a JSON patch to edit the image name in the workload to the signed image by digest. If a signer is defined in the policy, Portieris additionally checks that the image is signed by the specified role, and verifies that the specified key was used to sign the image. | ||
| If simple signing is specified by the policy, Portieris will verify the signature using using the public key and identity rules supplied in the policy and if verified similarly mutates the image name to a digest referencee to ensure that concurrent tag changes cannot influence the image being puuled. | ||
| While it is possible to require both DCT and Simple signing, alternatives are *not* allowed, if both are required conflicting digests will cause the image to be denied. |
Member
There was a problem hiding this comment.
Perhaps:
While it is possible to require both Notary and simple signing, the two methods must agree on the signed digest for the image. If the two methods return different signed digests, the image is denied.
pkg/controller/multi/controller.go
Outdated
| // convert digest to patch | ||
| glog.Infof("Mutation #: %s %d Image name: %s", containerType, containerIndex, img.String()) | ||
| if strings.Contains(container.Image, img.String()) { | ||
| // TODO: seems odd to have both tag and digest |
Member
Author
There was a problem hiding this comment.
it is a TODO and should be investigated, it is not a change from master, would an issue be better?
pkg/kubernetes/secret.go
Outdated
| if key, ok := secret.Data["key"]; ok { | ||
| return key, nil | ||
| } | ||
| return nil, fmt.Errorf("Secret %q in %q does not contain a \"key\" attribte", secretName, namespace) |
| assert.Contains(t, err.Error(), tt.errMsg, "unexpected error") | ||
| } else { | ||
| assert.NoError(t, err) | ||
| //assert.Equal(t, tt.wantList, got) |
Member
There was a problem hiding this comment.
Is this commented out intentionally?
molepigeon
approved these changes
Mar 26, 2020
tim-gp
pushed a commit
to tim-gp/portieris
that referenced
this pull request
Oct 1, 2020
* save * wip-save * unused * wip-2 * wip * wip * pr check * makefile fmt * no dep on gpgme * vet * fix test invoke * trust and simple concurrenltly * review issues * ease local testing * improve ut tests * e2e.simple * README less DCT specific * multiple simple policies and tests * keys from secrets * doc typos, code cleanliness
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#70