diff --git a/charts/cosigned/Chart.yaml b/charts/cosigned/Chart.yaml index e885982d..2243eb6c 100644 --- a/charts/cosigned/Chart.yaml +++ b/charts/cosigned/Chart.yaml @@ -6,8 +6,9 @@ sources: - https://github.com/sigstore/cosign type: application + name: cosigned -version: v0.0.5 +version: v0.0.6 appVersion: v1.2.1 maintainers: diff --git a/charts/cosigned/README.md b/charts/cosigned/README.md index a1be849c..df393877 100644 --- a/charts/cosigned/README.md +++ b/charts/cosigned/README.md @@ -4,9 +4,8 @@ * Kubernetes cluster with rights to install admission webhooks * Helm -## Deploy `cosigned` Helm Chart +### Deploy `cosigned` Helm Chart -Generate a keypair to validate the signatures of the deployed Kubernetes resources and their images: ```shell export COSIGN_PASSWORD= @@ -18,7 +17,10 @@ The previous command generates two key files `cosign.key` and `cosign.pub`. Next ```shell kubectl create namespace cosign-system -kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub --from-file=cosign.key=./cosign.key --from-literal=cosign.password=$COSING_PASSWORD +kubectl create secret generic mysecret -n \ +cosign-system --from-file=cosign.pub=./cosign.pub \ +--from-file=cosign.key=./cosign.key \ +--from-literal=cosign.password=$COSIGN_PASSWORD ``` Install `cosigned` using Helm and setting the value of the secret key reference to `mysecret` that you created above: @@ -31,7 +33,9 @@ helm repo update helm install cosigned -n cosign-system sigstore/cosigned --devel --set webhook.secretKeyRef.name=mysecret ``` -To enable the Admission Controller to check the signed images you will need to add the following annotation in the namespaces that you are interested to watch: +### Enabling Admission control + +To enable the `cosigned admission webhook` to check for signed images, you will need to add the following annotation in each namespace that you would want the webhook triggered: Annotation: `cosigned.sigstore.dev/include: "true"` @@ -48,9 +52,21 @@ spec: - kubernetes ``` -Then when creating, for example, a Deployment that does not have the images signed you will get the following error: +### Testing the webhook + +1. Using Unsigned Images: +Creating a deployment referencing images that are not signed will yield the following error and no resources will be created: + + ```shell + kubectl apply -f my-deployment.yaml + Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image + ``` +2. Using Signed Images: Assuming a signed `nginx` image with a tag `signed` exists on a registry, the resource will be successfully created. + + ```shell + kubectl run pod1-signed --image=< REGISTRY_USER >/nginx:signed -n testns + pod/pod1-signed created + ``` + + -```shell -kubectl apply -f my-deployment.yaml -Error from server (BadRequest): error when creating "my-deployment.yaml": admission webhook "cosigned.sigstore.dev" denied the request: validation failed: invalid image signature: spec.template.spec.containers[0].image -```