►
From YouTube: Securing Kubernetes Manifests with Sigstore and Kyverno - Jim Bugwadia, Nirmata & Yuji Watanabe
Description
Don’t miss out! Join us at our upcoming event: KubeCon + CloudNativeCon Europe 2023 in Amsterdam, The Netherlands from April 17-21. Learn more at https://kubecon.io. The conference features presentations from developers and end users of Kubernetes, Prometheus, Envoy, and all of the other CNCF-hosted projects.
Securing Kubernetes Manifests with Sigstore and Kyverno - Jim Bugwadia, Nirmata & Yuji Watanabe, IBM Research
Kubernetes offers a powerful declarative configuration management system which allows users to specify the desired state using a set of resources. In this talk, Yuji and Jim will show how you can establish trust and protect the integrity of Kubernetes resources. They will use Sigstore to sign YAML definitions and Kyverno to verify resources during admission controls. They will highlight real-world use cases for resource signing such as tamper-prevention and approval workflows which can be driven using OSS tools like Cosign and Kyverno.
A
Thanks
folks,
it's
about
six
months
ago,
Eugene
presented
at
a
caverno
community
meeting
and
he
talked
about
you
know,
yaml
signing
and
the
first
question.
You
know
when
we
were
kind
of
discussing
this
is
we
were
asking
well?
Why
would
you
want
to
do
that?
Why
sign
the
animals?
What's
the
benefit,
and
what
can
we
derive
from
this
and,
of
course,
once
we
got
past
that
discussion,
the
next
thing
that
came
up
as
well.
How
does
this
actually
work?
What
does
it
mean
to
sign
a
yaml
manifest?
A
So,
let's
start
with
the
Y
right.
So
why
would
you
want
to
sign
yamls
and
just
to
kind
of
recap,
signing
anything
gives
you
three
things.
The
first
thing
is:
it
makes
sure
that
what
you,
the
data,
you're
receiving
the
message
or
payload
is
authentic.
It
comes
from
who
you
think
it
comes
from.
The
second
is:
it
makes
sure
that
the
it
hasn't
been
tampered
with,
so
there's
Integrity
protection,
and
finally,
it
also
makes
sure
that
you
know
once
something
is
signed.
You
cannot
kind
of
go
back
and
reneg
on
that
or
change
that.
A
A
You
know
in
a
git
repo
somewhere
and
you're,
going
to
use
a
git
Ops
controller
to
push
these
yaml
manifests
into
your
cluster,
and
then
controllers
within
your
cluster
are
going
to
look
at
that
declared
State
and
the
current
state
of
the
system
and
reconcile
the
two
so
in
kubernetes
driving
its
declarative
configuration
through
yamls
becomes
pretty
much
the
standard
practice.
So
putting
you
know
that,
together
with
now
signatures,
the
benefits
you're
going
to
get
is
you're
going
to
make
sure
that
the
data
in
those
yamls
the
contents
of
your
resource
manifest
is
authentic.
A
It
hasn't
been
tampered
with
once
it's
deployed
into
the
cluster,
and
you
can
also
make
sure
that
you
know
you're
you're,
preventing
any
inadvertent
or
unauthorized
changes,
but
which
may
occur
in
your
cluster
itself.
So
signing
can
also
be
used
to
build
some
pretty
interesting
workflows
like
approvals.
If
you
want,
you
know
multiple
signatures
before
a
resource
is
deployed,
you
can
do
that
or
if
you
just
want
to
prevent
you
know
some
resource
from
being
going
into
production
until
your
QA
or
your
production
team
signs
off
on
it
all
right.
A
So
this
is
in
a
repo
under
the
six-door
repository,
it's
creators
manifest
six
store
and
what
this
does
is
it
contains
pretty
much
a
command
line,
as
well
as
a
library
everything
you
would
need
to
sign
and
verify
yaml
resources,
so
it
builds
on
top
of
cosine.
It
has
you
know,
logic
you
know
to
to
be
able
to
inspect
the
yaml
to
be
able
to.
You
know,
convert
that
into
a
couple
of
hashes
which
are
ingested
in
the
yaml
file
itself.
A
A
Its
role
is
to
be
able
to
inspect
any
admission
request,
apply
your
configured
policies
in
this
case.
That
would
be
a
policy
which
you
know
for
signing
your
yaml
files
itself,
and
you
can
also
you
know,
generate
resources,
but
that's
obviously
a
different
use
case
from
what
we'll
look
at
today,
so
putting
that
all
together
in
the
end-to-end
flow.
A
But
given
every
all
of
the
data
and
these
annotations,
which
are
inserted
into
the
yaml,
what
we'll
be
able
to
do
is
then
verify
the
contents
and
either
allow
or
deny
that
request.
Now.
This
request
may
also
originate
inside
the
cluster,
so
in
case
somebody
edits
that
GMO
it
would
be.
You
know
you
would
be
able
to
deny
that
if
it
wasn't
signed
and
didn't
flow
through
the
right
phases
of
your
deployment
pipeline.
A
B
B
So
let
me
introduce
a
little
bit
detail
of
the
how
the
side
this
mechanism
works.
The
first
signing
Miami
manifests.
So
this
is
a
tool
of
the
cly.
Actually,
the
cube
CTL
program,
the
it's
a
original
some
annotation
is
in
injected
to
the
original-
must
be
via
my
best.
Basically,
it
gets
this
manifest
body
and
encode
the
it's
signed
by
the
cosine
sine
below
command.
Then
it
encoded
message
and
encoded
signature
is
embedded
into
The
annotation,
so
the
to
verify
this
sign
the
yellow
manifest.
So
there
are
three
steps.
B
B
So
yeah
this
mechanism
is
actually
embedded
in
in
the
key
value
control,
so
the
to
configure
the
this
signature
identification.
We
can
use
Cabernet
policy,
so
actually
the
new
declaration
validate
manifest
is
defined
by
this,
so
the
normal,
and
so
the
mass
of
so
resource
to
me
to
be
signed
is
specified
and
also
the
as
public
key
is
specified
in
this
position.
B
B
So
the
challenge
to
verify
this
signature,
the
in
admission
controller,
is
a
mutation.
So
the
when
you
create
apply
a
send
the
request
from
the
QVC
TL
comma
capacity
command,
so
the
originally
Amino
manifest
is
not
coming
to
the
admission
control
point.
So
some
mutation
happens
before
the
before
that
checked.
B
Like
the
native
admission
control,
May
introduce
some
mutation
to
the
original
Emerald,
so
the
thing
to
verifying
the
con
yeah
my
best,
we
need
to
think
to
consider
how
which
part
is
generated
from
the
those
trusted
admission
controller
or
this.
This
change
is
not
allowed
or
not
so
that
that
consolation
is
required.
B
So
the
solution
is
first
solution.
Is
you
can
specify
the
which,
which
part
of
the
manifest
can
be
a
should
be
ignored?
So
maybe
that's
some.
You
can
specify
the
this.
This
mutation
is
introduced
by
the
some
native
communities,
admission
control,
or
maybe
you,
if
you
know
you,
you
have
some
your
own
custom
admission
controller.
You
can
specify
that
ignore
configuration.
B
Okay.
That
is
one
approach.
Another
approach
is
a
driver
and
a
computer,
so
this
is
a
approach
to
compute
the
diff
by
using
the
duratum
output.
So
I
will
explain
later,
but
this
this
approach
is
pretty
good
because
you
don't
need
to
specify
the
which
part
should
be
ignored
because
it
is
a
expected.
Mutation
is
automatically
computed
by
the
driver
in
admission
control
phase,
so
that
part
is
good.
But
but
another
requirement
is
the
you
need
to
add
some
addition.
B
So
approach
is
like
this,
so
the
admission
requests
come,
but
the
admission
people
coming
to
admit
admission
request
is
coming
to
the
keyboard.
No,
the
the
some
attribute,
some
library
or
annotation.
Some
part
of
the
Manifest
is
mutated,
maybe
added
to
something
so,
but
this
change
is
also
computed
in
the
in
the
driver
in
the
admission
cultural.
So
then
you
can
check
you
can
compare
those
two.
So
do
I
run
this
out
and
coming
the
admission
code
rules.
Okay,
the
you
can
you
can
automatically
filter
the
expected
expected
mutation.
B
B
B
B
B
B
B
A
A
It's
probably
not
the
best
idea
to
use
this
for
every
resource
in
your
cluster,
but
certainly
things
like
cluster
roles,
policies
Etc
you
might
want
to
protect
and
make
sure
that
those
are
signed-
and
you
know,
can
be
not
tampered
or
not
changed
later
in
your
pipeline
itself.
The
signing
and
verification
is
pretty
simple:
six
door.
Of
course.
A
Cosine
can
sign
everything,
so
you
know
might
as
well
use
it,
and
it's
using
the
you
know
the
blob
signature
format
underneath
so
you
can
utilize
that
to
sign,
and
then
you
can
use
admission
controllers
like
kiverno
to
do
the
verification
in
the
cluster
itself.
So
certainly,
you
know
feel
free
to
you
know
either
reach
out
on
the
kuberno
channel
or
on
the
cosign
Channel.
If
you
have
any
questions
or
would
like
to
see
any
other
examples
of
using.
This
also
want
to
give
a
quick
welcome
shout
out
to
Rico.
A
A
A
A
A
A
A
A
B
A
Yeah,
one
of
the
other
schemes
we
had
explored
is,
if
there's
some
other
way
to
get
a
canonical
form
of
the
resource,
but
it
becomes
a
pretty
hard
problem
right
because
you
need
to
know
what
the
actual
initial
form
was
and
strip
out
all
of
the
other
things
that
could
have
changed
in
your
pipeline
or
through
other
mutating
controllers
or
in
cluster
controllers
like
when
a
pod
gets
deployed.
It's
amazing
how
much
stuff
gets
added
by
just
the
standard
controllers,
and
all
of
that
needs
to
be
ignored.