Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Sigstore / Sigstore Community Talks / 10 Oct 2022
Sigstore / Sigstore Community Talks / 10 Oct 2022
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Signing And Verifying Container Images With Sigstore Cosign And Kyverno

Description

If we want to be certain that what we're running is what we built, we might need to sign container (Docker) images, as well as other types of artifacts. That's where Cosign jump in. Sigstore Cosign makes signatures invisible, especially if we combine it with Kyverno or other Kubernetes admission controller solutions.

#cosign #sigstore #kubernetes

Consider joining the channel: https://www.youtube.com/c/devopstoolkit/join

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬
➡ Gist with the commands: https://gist.github.com/d1bd7ab00d2288c663e436cd513efe85
🔗 Sigstore (Cosign): https://sigstore.dev
🎬 Kubernetes-Native Policy Management With Kyverno: https://youtu.be/DREjzfTzNpA
🎬 How To Replace Docker With nerdctl And Rancher Desktop: https://youtu.be/evWPib0iNgY
🎬 Bitnami Sealed Secrets - How To Store Kubernetes Secrets In Git Repositories: https://youtu.be/xd2QoV6GJlc

▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬
If you are interested in sponsoring this channel, please use https://calendly.com/vfarcic/meet to book a timeslot that suits you, and we'll go over the details. Or feel free to contact me over Twitter or LinkedIn (see below).

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬
➡ Twitter: https://twitter.com/vfarcic
➡ LinkedIn: https://www.linkedin.com/in/viktorfarcic/

▬▬▬▬▬▬ 🚀 Courses, books, and podcasts 🚀 ▬▬▬▬▬▬
📚 Books and courses: https://www.devopstoolkitseries.com
🎤 Podcast: https://www.devopsparadox.com/
💬 Live streams: https://www.youtube.com/c/DevOpsParadox

▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction To Sigstore Cosign
03:38 Client-Side Container Image Validation With Cosign
06:22 Enforce Usage Of Signed Container Images With Kyverno
09:47 Sign Container Images With Sigstore Cosign
11:51 It's Not Only About Container Images

A

How do you know that the container image you are running in your clusters is indeed the one you built? How do you know that no one has tampered with that image? Is it because you're deploying the same tag that you built? If that's the case, let me tell you that it's relatively easy to overwrite a tag in a container registry or to trig the system. To think that the tag you use is the tag you want. The solution to that problem is in signatures.

A

Foreign, let's forget about software. For a moment, let's say that you're purchasing a house or getting a job, you will get the contract. That much is clear, but the question is: how do we validate that the contract between you and someone else is indeed valid? For hundreds of years we've been using signatures, you know signature to validate that the contract is valid. If you signed it, it is likely authentic.

A

Now, to be honest, it is fairly easy to forge a signature, so we started using third parties, like not parties or lawyers, to validate whether it is indeed you who is signing and that the signature document is matching your handwriting. Nevertheless, that wasn't good enough either. After all, we live in a digital era, so we moved into electronic or e-signatures. If your employer sends you a contract to sign, you can use DocuSign or any other service to sign it and through that process confirm that's what you want and that's what you committed to now.

A

Let's move back to software, the problem in answering the question: how do you know that the container image you're running is indeed the money you built? Is that we do not have a way to sign a container image? Actually that's completely incorrect. We do have quite a few tools. We can use to sign container images and today we're going to explore cosine one of the tools in the six door project.

A

Now the official description says that six star empowers software developers to securely sign software artifacts such as release files, container images, binaries Bill of material manifests and more cell materials are often stored in a temporary system. Public log now that might be confusing most of the descriptions of projects and tools are confusing I'm, not sure why people do not make it simpler. Anyways. Let's explain it like this. With six store, we can sign software artifacts with cosine. We can sign git commits with Git sign.

A

We can verify entries with record, which is just another project we can use folks here, I think that's how it's pronounced. Anyway. We can use Focus your certificate Authority, and we can use policycontroller to enforce kubernetes policies. Now we are not going to use the six-door policy controller to enforce anything, because there is a better option.

A

I'm going to show you something much better, also we're not going to focus on all the six store tools, but only on cosine later on, we are going to see how we can combine cosine with something better which is going to remain mystery for a couple of more minutes. Unless you've read the title of this video, then you already know: anyways you're gonna see it soon. Now, let's jump into the demo and see how we can validate whether an image is indeed was indeed actually signed.

A

Now, to validate whether an image was signed is relatively easy. All we have to do is execute command, cosine verify and then pass the key. The public key that was used together with the private key to sign that image and then specify the address of the image itself, which in my case, is silly demo 10 and the output says Nope. There is no matching signature. This was not signed at all or it was not signed with that public key anyways there is no signature, so shall not pass, which is normal.

A

I did not sign anything yet. I just want to show you two things. First of all how we can validate and second that this is a silly way to validate images. That is a better way, but we're going to get there in a few minutes.

A

Now, before we proceed, let me explain that the key that I referenced in that command together with another key, the private key, was generated with the command cosine generate key pair I did not show it in this demo, but there is a twist with all the commands and you can find in that case both those that I used to prepare for the demo and those that are executing right now.

A

Now, in this specific case, the keys are stored locally on my laptop on my local file system, but they can be stored as kubernetes Secrets as well. Those Secrets can be, for example, encrypted with sealed secrets and stored as a manifest in a git triple and if you're not familiar with seal secrets. Well watch this video that one shows you how how awesome steel secrets are I'm not going to do that now.

A

Similarly, we can instruct cosine to generate and use keys from one of the Key Management Services, like AWS KMS, Azure, key Vault, Google, KMS, hashicot, Vault, probably a few others. We can also use open ID connect to sign images, so there are many many different ways how we can generate keys, where we can store keys from where we can retrieve those keys and so on and so forth. Now, going back to the commander executed, you know cosine validate.

A

That was a bad command unless part of the process of signing, but that's definitely not a command. You should use to validate images because client-side validation today in this day and age is silly. It is hard to guarantee the commands like that were executed and it might be a maintenance nightmare going through all the pipeline scripts and any other place where such validation need to be performed.

A

Fortunately, there is a better way and that's what we are going to explore next kubernetes and Mission controllers are a great way to ensure that only the manifests that meet certain criteria are accepted by the cluster. Now, given that container image reference is a part of manifest, we can use admission controllers to ensure that those images are signed before the Manifest that use them are applied to the cluster.

A

With that in mind, today we are going to use one of my favorite tools to generate admission, controller policies, that tool is kyberno and if you're not familiar with caberno. There are two steps: two things you need to do. First, you need to be ashamed for not knowing about kyberna.

A

Second watch this video or even better continue watching the one you're watching right now and then go back and watch the video I'm suggesting and find out more about caverno, because it's absolutely awesome, even though it's not the main subject that we we are exploring right now.

A

So let me output file called Werner yaml and that that's the policy, that's the policy that I'm going to use to enforce, to make sure that all the manifests are assigned by cosine before they're applied uh to the cluster, actually not that money fits are signed, but the images that are used in manifest are signed before manifests that contain references to those images are applied so again, I'm not going to go into details. Watch caverno video for that. What matters right now is, first of all, I'm going to enforce this rule.

A

So it's not going to be informative only, but simply it will not allow us to apply a manifest of certain kind and then I'm, saying hey. You should verify certain images and in this case only one image silly demo, but it could be any image. Potentially, you should not allow any unsigned image in your cluster, and then we have a testers, I'm saying: hey, there should be funnel tester and data tester should validate that the public key that is specified below is the one used by the image that was signed.

A

First of all, the image needs to be signed. Second, the public key needs to match so I'm, going to execute Cube cattle namespace's production I'm going to apply that file so that the policy is active and then we're going to take a look at the deployment that I'm about to run. The only thing that matters really in this deployment is that the image is silly demo 10..

A

That image has not been signed. Yet you know that it hasn't been signed because I showed you when I executed, cosine validate that that image was not signed. What they want to do right now is to validate that caverno will prevent me from applying manifested references that image. So, let's see whether that's really the case I'm going to execute your capital name, species production I want to apply whatever is defined in the directory and there we go. It says. No, though, shall not pass the admission web hook.

A

Whatever the web cook is says, no, you cannot do it because I failed to validate to verify the signature. For that specific tag, I need to sign the image before I can apply the image to my cluster so signing an image, and through that signature confirming that's the image I really really want to use is simply with the command cosine sine.

A

Then I need to provide the private key uh so that that's the key it will be signed with the address of the image that is already pushed that is already available in the registry and the the image is silly demo and the tag is 10. and it went to the password for my private key and there we go it. The image was signed and then sixth or pushed additional information to my container registry. In this case, that's Docker Hub. Now, let's verify again through the silly command line command.

A

Whether the image is now signed with cosine verify. There is the path to the public key we always validate with the public key and the address of the image itself. Silly demo, OneNote, 10 and I'm going to pipe it to Jake you so that you can see the nice output and there we go right this time. It is not complaining this time it is confirming hey. This image was indeed signed by this key. It is safe to use I mean it is not safe.

A

There are many many many many other things that can go wrong, but at least now I can confirm that the image I built is the image I signed and the image assigned is the one that will be applied that will be running in the cluster. Now, if I try to apply that manifest, that uses that image with cube catleness with production apply. Whatever is in the directory case, we can see that deployment was created. There is no error: cavano is not freaking out. Everything works smoothly. No news, good news.

A

My image is safe, actually again not safe, but can be run in a cluster, because I just confirmed that that's the one that I want to run. Nevertheless, it's not only about container images now cross sign is not really focused on container images.

A

Cosine is focused on enabling us to sign and verify uh signatures of anything stored in a container registry, so that can be an image or images, as we saw so far, but we could also upload the blobs or binaries and other types of artifacts into container registry, and if you do, then we can verify those sign and verify those as well. We can also use cosine with the s-bombs or software bills of materials. We can use it for tecton bundles. We can use it for webassembly modules or bosoms, and so on and so forth.

A

Almost anything that can be pushed to a container registry, not only container images. Anything can be signed and verified by cosine. So should you use cosine well to begin with? Cosine is think of it as unofficial standard for signing container images or anything that can be pushed to a container registry. On top of that, we have other six store projects that can come in handy as well, even though we're not exploring them in this video. Given that signing is simple, it's so simple.

A

It can be easily added to your CI pipelines or, whichever other process you use to build and push images. There is no good reason not to sign them on top of that Cavern or any other type of admission controllers can be used to enforce that images are signed and validated in a verified without any additional effort. So there is almost no effort involved to use cosine, especially if you combine it with admission controllers. So should you use it heck? Yeah cosine is a must use it adopt it now.

A

You do not have a single excuse not to use it.