Use cases n4k with venafi for image verification #46
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| ## Steps for image verification | ||
|
|
||
| Below are the steps to verify images before deployment to Kubernetes runtime environments - | ||
|
|
||
| 1. Download the certified N4K Kyverno and adapter images to the customer's private repo. | ||
| 2. Customize Kyverno and adapter deployment as required for the customer's environment via Helm values file (docker-registry credentials, custom CA, Proxy etc.). | ||
| 3. Deploy Kyverno using the Helm Chart. | ||
| 4. Deploy the adapters using the Helm Chart. | ||
| 5. Leverage cosign or Venafi workflow to sign the images. | ||
| 6. Deploy the image verification Kyverno policy. | ||
| 7. Confirm image verification based on policy pass/fail. | ||
|
|
||
|
|
||
|
|
||
| ## Location and Credentials to access N4K images | ||
|
|
||
| Please download the Kyverno and adapter images below - | ||
|
|
||
| ghcr.io/nirmata/kyverno:v1.8.1-n4kbuild.1 | ||
| ghcr.io/nirmata/kyvernopre:v1.8.1-n4kbuild.1 | ||
| ghcr.io/nirmata/kube-rbac-proxy:v0.13.1 | ||
| ghcr.io/nirmata/nirmata-imagekey-controller:v0.1 | ||
|
|
||
|
|
||
| Please use the below credentials provided to you to access N4K images - | ||
|
|
||
| Username: nirmata-enterprise-for-kyverno | ||
| Password: xx | ||
|
There was a problem hiding this comment. Maybe something else other than "xx" here. Do they know where/how they'll obtain the password? Maybe put that as a sentence. |
||
|
|
||
| ## Kyverno Installation | ||
|
|
||
|
|
||
| Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/nirmata#installing-the-chart). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below | ||
|
There was a problem hiding this comment. "...during installation of the Helm chart..." |
||
| ``` | ||
| --set image.repository=<registry_name>> | ||
| --set image.pullSecrets.registry=<<registry_name>> | ||
|
|
||
| --set image.pullSecrets.username=<user> | ||
| --set image.pullSecrets.password=<password> | ||
| ``` | ||
|
|
||
|
|
||
| For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. | ||
|
There was a problem hiding this comment. "Certificates" |
||
| ``` | ||
| --set systemCertPath=/etc/pki/tls/certs | ||
| --set customCAConfigMap=<<configmap_name>> | ||
|
|
||
| ``` | ||
|
|
||
| ## Nirmata Venafi Adapter installation | ||
|
|
||
|
|
||
| Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below | ||
|
There was a problem hiding this comment. Credentials are for the image registry. "Helm chart" |
||
|
|
||
|
|
||
|
|
||
|
|
||
| ``` | ||
| --set venafiAdapterImage=<<nirmata-imagekey-controller_image_full_path>> | ||
| --set imagePullSecret.registry=<<registry_name>> | ||
| --set imagePullSecret.username=<<user>> | ||
| --set imagePullSecret.password=<<password>> | ||
|
Comment on lines
+57
to
+60
|
||
| ``` | ||
|
|
||
|
|
||
| For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. | ||
|
|
||
|
|
||
|
|
||
| ``` | ||
| --set systemCertPath=/etc/pki/tls/certs | ||
| --set customCAConfigMap=<<configmap_name>> | ||
|
|
||
| ``` | ||
|
|
||
|
|
||
|
|
||
| ## Validate signed images with Venafi adapter | ||
|
|
||
|
|
||
| Refer the steps [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#test-a-sample-policy) to create a password secret and CR yaml imagekey.yaml | ||
| Ensure the first job runs and downloads the specified key to configmap specified | ||
| Refer the sample [policy](https://github.com/dolisss/kyverno_policies/blob/main/supply-chain/verify_image_venafi.yaml) to create a Kyverno imageverify policy referring to the configmap field | ||
| Validate whether pods are blocked or allowed based on whether they are signed with Venafi keys. | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really want to specify which exact tags to use in these instructions? When we upgrade, we'll have to come back and maintain this list.