** THE CODE IN THIS REPO HAS BEEN MOVED TO THE OFFICIAL COSIGN REPO **
** THIS IS ARCHIVED **
A Kubernetes admission controller to verify images have been signed by cosign
!
- install ko
- install cert-manager
- install kustomize
- install cosign
Run make deploy
!
Don't forget to change Go module name
module github.com/dlorenc/cosigned --> module github.com/<your_github_name>/cosigned
$ export SECRET_KEY_REF=k8s://default/mysecret
$ envsubst \
< config/manager/kustomization.template.yaml \
> config/manager/kustomization.yaml
$ export PROJECT_ID=$(gcloud config get-value project)
$ export KO_DOCKER_REPO=gcr.io/$PROJECT_ID
$ export GITHUB_NAME="dlorenc"
$ IMG=ko://github.com/$GITHUB_NAME/cosigned make deploy
cosigned
only watches namespaces with the label cosigned=true
on them, so set that up:
NS=default
kubectl label ns $NS cosigned=true --overwrite
Grab a container and try to run it:
$ IMAGE=$KO_DOCKER_REPO/demo
$ crane cp --platform=linux/amd64 ubuntu $IMAGE
$ kubectl run -it unsigned --image=$IMAGE
Error from server (invalid signatures): admission webhook "cosigned.sigstore.dev" denied the request: invalid signatures
Sign a container:
$ cosign generate-key-pair $SECRET_KEY_REF
$ cosign sign -key $SECRET_KEY_REF $IMAGE
Enter password for private key:
Pushing signature to: gcr.io/dlorenc-vmtest2/cosigned:sha256-fb607a5a85c963d8efe8f07b5935861aea06748f2a740617f672c6f75a35552e.cosign
Now run it:
$ kubectl run -it signed --image=$IMAGE
If you don't see a command prompt, try pressing enter.
/ #
Cosigned uses a single Secret for configuration right now. Because cosign
now supports to store pub/private key pair in Kubernetes secrets.
There is one field called cosign.pub
, which contains a PKIX-formatted public key to trust.
All images must be signed by the key to run in the cluster.
Enforcement is opt-in at the namespace-level.
Namespaces with the label cosigned=true
will be enforced.