Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Protect Stage / 30 Aug 2023
GitLab / Protect Stage / 30 Aug 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Keyless container image signing with GitLab

Description

Demo of the new keyless signing integration with GitLab, available now on GitLab.com.

- Release post: https://about.gitlab.com/releases/2023/07/22/gitlab-16-2-released/#support-for-keyless-signing-with-cosign
- Code used in this video: https://gitlab.com/bwill/container-signing/-/tree/aeb9ba494f2b5fb761c91ca53a221295eaf79ef3
- Cosign project: https://github.com/sigstore/cosign
- Sigstore policy controller: https://github.com/sigstore/policy-controller

A

Hi, my name is Brian Williams and I'm. A senior veteran engineer at Gate lab today, I'd like to show you a quick demonstration of the new uh keyless signing with cosine integration, that's available on github.com.

A

uh What this is is a tool that allows you to sign your container images with a cryptographically, verifiable signature, and you can use that to control what images are able to be run in your production environment. So I have an example, project setup here, where I have added signing to the end of the docker build process.

A

So this is a fairly typical Docker build where we have a Docker file and we would just build the dark file and push the image to the registry and, if we're on the default Branch, then we'll tag that image as latest. uh What the cosine integration here is doing is with just a few commands.

A

We can also sign this image and store the signature in a container registry there's a few things that need to happen. In order to do this, um we have the cosine, yes, true variable. This is just to accept, uh like an end user agreement with with sixture, uh to use uh their infrastructure that they host for public public usage.

A

um Then there is ID tokens keyword and what this does is.

A

It exposes uh an authentication token and see our job variables, which allows cosine to authenticate to uh fossio, which is a service that issues temporary cryptographic keys, and so this lets us do both signing and verification without having to manage our own cryptographic. Keys, uh it's done using temporary ephemeral keys and it and the signatures can be verified uh using a similar process.

A

The checks to ensure that the key used to sign the image was valid at the time that the image was signed. uh It does that using time, stamping and transparency log and a few other things.

A

So with this job, we can sign our images and there's very minimal setup on our part. In order to do this, it's just a few changes to GitHub crop and you can see the result of this job here we have the build step ER.

A

You know we put a base image.

A

And.

A

Push the image- and that was successful. Then we have cosine and it generated ephemeral, keys.

A

And use the signing certificate.

A

uh This is the agreement that I was talking about earlier. We've automatically accepted that and it publishes an entry to a transparency log and then the signature is also hosted in the registry. Alongside the image uh it's stored, there.

A

Then, for the sake of example, we have a verification job which verifies the image. um This requires no credentials at all. It does not require any keys. It just does this using uh the public key infrastructure hosted by sixword, and this image is valid, but you typically would not want to do your verification in the pipeline. What you would want to do is have your kubernetes cluster uh verify that the image is signed and you can do that using the Sig store admission controller.

A

Oh I'm, sorry, it's called positive control um and that this project here I, should have had this open already, but you can use the policy controller in order to have admission rules under kubernetes cluster that they uh you're not allowed to run images that aren't signed, and you can do this to make sure that the image has gone through code reviews and approval and so on.

A

If you verify that uh the image was built by a pipeline, that's on a protected Branch such as main or maybe one of your release, branches or your development branch, and you can use protective Branch rules to ensure that people cannot merge any changes to those branches. Without approvals- um and this lets you add an extra layer of control to ensure that people cannot run arbitrary images in the kubernetes cluster. It has to have gone through code view as I've gone through approval. It has to have been built by the CR pipeline.

A

uh So I'll demonstrate this quickly here.

A

Okay, so I have a brand new kubernetes cluster and I'm going to use to demonstrate this.

A

The first thing to do is install six door. Hem charts I've already done this so I'm going to skip that step. Then you will install a policy controller.

A

And I'm going to check to make sure that was successful.

A

It looks like it was.

A

Then I'm going to create my production, namespace.

A

Where my app will run and I'm going to enable positive verification for this namespace, then I have to add the policy to the cluster I'm, going to show you the ammo file for it real, quick, it's a cluster image policy and it's going to apply to all images.

A

And then this is my assertion that says these images have to have been signed on gitlab.com and they have to be for my project on the main branch.

A

So what this means is that any images that were built outside the main branch like on a merger Quest on the development Branch uh in any of those pipelines, they're not going to be able to be alert, they're not going to be allowed to run in production. uh So uh upside is positive.

A

Is using the short form, extension, okay, okay, so now I have the policy set up?

A

uh What happens is this is going to do signature verification on my images now so if I go over here to Pipeline and if I find a pipeline, I have a couple of pipelines for me, but here's here's, a patch branch that I was working on and this Christian image.

A

But the image wasn't ready, um didn't have any code review, it didn't have any approval from other uh people, so this image might not be good um and I have I. Have you know a deployment that uses this image and I'm gonna? Try creating this deployment with the one from the development branch.

A

And so kubernetes did not allow me to create this deployment because of the emission web hook to another Quest, and it's because signature verification failed for The Authority defined in my policy and the subject that I got was rip head's main patch 1209.

A

So this is working exactly the way it should be. There was a signature, but it didn't have the correct subject because it was not built on the main Birch.

A

So now, if I go back to the pipeline and I try this image that was built on Main.

A

And I'm going to create a deployment with the SIM engine set.

A

And now it works I'm allowed to create my deployment, uh so this is a way that you can have cryptographically verified, Patrol, Firefly, remote controls under kubernetes cluster that Ensure, that on the images that went through your code review process and your build processes are allowed to run in your kubernetes cluster. Thank you.