Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Sigstore / Sigstore Community Talks / 1 Jun 2023
Sigstore / Sigstore Community Talks / 1 Jun 2023
Previous Meeting
Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Securing Kubernetes Manifests with Sigstore Cosign, What Are Your Options? - Mathieu Benoit, Google

Description

Securing Kubernetes Manifests with Sigstore Cosign, What Are Your Options? - Mathieu Benoit, Google

In this talk, we will explore the options to verify with Sigstore Cosign the provenance of Kubernetes manifests before actually being applied in your cluster. Attendees will learn how Sigstore Cosign integrates with Kubernetes to provide secure solutions for signing and verifying container images and resource manifests, configuration files, and other critical components, bundled as generic OCI images. We will also touch upon the use of GitOps tools like FluxCD and policy engines like Kyverno and Gatekeeper in combination with Sigstore Cosign to enforce security policies and prevent unwanted changes in your cluster. Whether you are a seasoned Kubernetes user or just starting out, this talk will provide valuable insights and tips about your options for verifying in Kubernetes your Kubernetes manifests signed by Sigstore Cosign.

A

Foreign.

A

And I'm glad to be speaking at Sublime. Shame security con as part of the open source, Summit North America by 2023, and today I will be speaking about securing your communities manifest with six-door concerning and we will go through the different options you have out there.

A

We will go through um a very quick introduction about what is six star and cosine, and we will review the workflow of a typical um workflow for container images in nature with cosine, and then we will see three main scenarios to verify the signature of your communities manifest within your communities. Cluster.

A

The first one will be with Sky Vernon, an admission controller at policy engine and the two last one will be verifying your M chart or your oci images with flux, guitar store out there, but first, let's make sure we uh we are talking and defining what is software supply chain and so of course, reply. Chinese from a developers perspective, I have my code.

A

My source I will trigger a good um I, will grab some dependencies and I will package what I want to uh to um to expose to my consumer, and but here we could see that this consumer is actually consuming these package. This artifact, in our case, maybe a container image, but we know that it's coming from the white place right, but do we know if it's what the owner intended to provide an expose to me as a consumer right?

A

So, let's imagine you have a compromise account within this workflow a compromise, build process, a compromise package repository. So here you could see from later a to G and the different places where you could have compromised stage and steps within your workload and and that's what the Searcher um the dev as a website. I'm sharing here is defining and that's a notion of zero trust with software supply chain, and actually they are helping us out there and to meet some requirements to be Seeker within our software circulation.

A

And one of the criteria is the provenance, the provenance of dependencies, the provenance of code provenance of packages um and you could meet the different levels, such as one two, three four four, depending on which criteria and weakra module, meeting right and provenance is part. uh Part of that so very important as a reference as well and sixture is here to directly answer. This need of I need to guarantee that the artifact is yes coming from a repository or registering, but actually is coming from the owner. Who is signature right?

A

So I will double check that this artifact is signed with a a very defined signature, so you could, with six store ecosystem and tools. You could sign your code, verify a signature and monitor activities as well. I won't go too much in detail with the different tools of 6-0.

A

The main one we will see today is cosine and actually, when signing code, you could see this very evolving ecosystem, where you could sign goaling package item package, Ruby package, Java package, rest package, as well as your git, commit as well as your container images as well as your M chart or more generically oci images that we will go and see in this presentation.

A

So let's see the typical and very basic and simple workflow about signing container images, and with that later we will see how we could have a parallel for signing and verifying our opportunities. Manifest.

A

First I need to build my container image locally local build. If you are using Rodman or Builder or other tool, you could build your container images locally. Then I need to push this image in an oci registry.

A

I have mentioned oci multiple times, so let me maybe Define it a little bit or CI stands for open container initiative, it's under the Linux Foundation umbrella and the goal is to Define standard specification around what is a container image. What is a container runtime? What is a container registry right on a very generic way and not just talking about Docker right and actually an oci image and he is able to package any file. A communities manifests in our case we will see later with me.md and then click4 MP3 file.

A

So you could archive or vendor and package any file within your oci image and an oci registry in our case we'll be able to host your artifact to your oci image. So a Docker container and a container image is actually an ocm image right. So here I need to push my container image and then I will use cosine locally I'm.

A

Taking the support to generate my key pair, the public key and the private key locally I will use a private key to sign, actually sign this container image with the immutable digest of this image and I will verify with the public key locally. So that's a typical workflow for container image right now, with this walkthrough when I want to guarantee that any container image is actually signed with this workflow from within my kubernetes cluster, and this cluster is actually just taking and accepting these container images signed from this workflow and this signature.

A

Sorry about that I will I will use an admission controller and in our case, kailano is one of the tool you could use right. So I'm using cosine I will sign with my container within my container registry, and um um uh my container image is actually signed in my Continental registry and actually Calvin as an admission controller and policy engine installed in my cluster via a policy which is this one here.

A

I could Define this manifest okay journal or policy cluster policy, where you could see this verified images specification for any container images, I need to please Kevin. Could you check that this container image is all actually signed with this public right store in this case in a secret? It could be in a KMS from your cloud provider Etc, but here we are making sure any container images is signed with this public very important for container images.

A

There is another approach if you know a policy controller from sixth row, that's the same approach, that's an Mission controller! Doing just that. Okay, everyone know is going a lot of different policies and governance and security. Promo is in your cluster as a police engine.

A

A policy controller is doing this very Niche and specific signature check on your container images same approach with the secret in this case, KMS is also working and here I'm defining my my policy cluster image policy by using sixth or policy controller.

A

If you are using peniser, there is the same approach if you are using Cube Garden same approach, so that's a typical for tool that you have for um container images, signature, verification right now, let's talk about how to do that with kubernetes manifest and why you would like to do that, and actually you could make sure that any kubernetes manifest a deployment, the secret config map name. It is actually coming from and trusted from where it's coming from from your corporate Corporation Enterprise and within your workflow in your software supply chain.

A

Actually, there is a first approach. The first approach is using the cube, CTL Plugin or signing kubernetes manifest I I put the the link of the tool um out there and the typical workflow is using Cube cctl6 store sign, choosing my yaml file in my manifest and targeting my oci registry. So this EML file will be stored as an oci image and will be signed with this public key private key actually, and the typical walkthrough is verifying right.

A

I will use qctl system verify verify this yaml file, targeting this oci image within the oci registry, with this public key right. So the other typical scenario and workflow for using signing your communities manifest as a side note. This workflow actually is a six door sign. Qctr, 6. increment will actually generate and two annotations so message and the signature that you could see where the signature will be stored and will be leveraged then by the verify command.

A

So just that you know that ctml file is immutable right as soon as you have updates uh with this resource within your cluster. Let's take an example about the replicas of a deployment or, if you are doing some limitation, adding annotation, adding label adding all the metadata and data within your resource actually running in kubernetes. That could be a bit of a challenge here.

A

So you need to to be aware of that is almost maybe the only one verifying this workflow here by using the plugin Cube CTS external will be able to actually do the verify uh at admission controller when actually deployed within kubernetes and before being deployed in your kubernetes cluster. Actually, so that's a typical workflow, and here is a cluster policy, and earlier I mentioned the equal cluster policy for container images. Here, that's to verify the signature of your kubernetes manifest previously signed by electricity.

A

Six store we just Illustrated right before and there is a validate section where you could actually Target a specific secret or KMS or other approach from your publicity, and you could see this very important section subsection in your field, which is actually highlighting for you when you are using this approach.

A

This way to be immutable versus multiple Fields right here, I mean it's waiting for replicas.

A

Maybe you have Auto scaling in place, so these values are mutable, they could change, and you don't want that when you want a signature, because you don't want the resource to be a change now, let's talk about M chart and chart is one of the way to package or manifest kubernetes manifest out there right, and so that's the second approach. I would like to illustrate, and let's talk about the typical workflow to sign your end chart you do a package um like we did with Docker build here.

A

It's end package um like we did with Docker push. There is n push um to push this actual oci image and chart in your OCR register. I will generate locally. My keeper public and private key here and I will still use cosine to sign this oci image and chart actually and I have the verify Command right with the public key in this case, pretty simple, similar to the dockera workflow we had with cosine and looker, and your container images same for your M chart.

A

I just want to highlight that there is, when you do n package this. This dash dash sign parameter, which is not yet supporting cosine uh I share at the bottom of this uh slide. uh The link of the issue, mentioning that it's coming in the future, where you will be able to actually not using all the cosine command um at the bottom of this prompt command, but you will be able to use n package sign directly, pretty convenient, and so just for your information that in the future, this workflow will be simplified.

A

Now, how true so it was locally cosine sign and verify again add admission control time within my kubernetes cluster. How I could guarantee that any M chart is actually signed right out there?

A

There is actually one tool proposing that it's Flex, a github's tool Flex, is able to pull versus pushing your manifest is pulling your manifest from a git repository from um no CI registry um and in this OCR registry you could have your manifest bundle as M trade and I will illustrate the other method just right after, but flux is able to pull your mshot from your oci registry as an OCA image right and that's a typical workflow.

A

You have flux your GitHub tool installed and it will be able to pull your manifest, not from a git repository but from a note here registry and deploy the rendered kubernetes manifest at an oci image right and the typical manifest to tell Flex to do that is defining the NM repository resource CM, chart ing to your CR registry, as well as your verify section for the for the M chart, where you will Define as a secret fundamental your co-signed public key, so pretty pretty convenient, pretty simple and yet powerful.

A

More generically than an M chart, you could bundle in kubernetes manifest and any file like I mentioned earlier, oci images again, oci stands for open container initiative and I will use oras or, as is a part of the cncf cloud native Computing, Foundation ecosystem and tools and projects out there and like with like, we did Docker push or n push. We could do RS push, so I could render any files locally from the current folder and pushing those file in my oci registry and doing an archive or no CI image within this OCR register.

A

Again, I will use cosine to generate my private and PVP, and I will sign this actual container image or CR image to be more generic and precise, and then I could still verify so pretty much the same workflow with Docker container image or Android, and here with more generic approach with oci image, so pretty simple and again yet powerful walkthrough.

A

What is a tool again to validate and verify the signature of this oci image within my cluster before being admitted and deployed in the crystal corrects? Is the tool allowing you to do that again? Flux is able to pull manifest from a git repository, a name registry or more generically, and no CI images and again my communities manifest will be done there as an oci image within my oci registry right and githubs will have the school mechanism here is a manifest where you could Define your oci repository like we did earlier with the end chart.

A

That's the same. Just one response in this case was here repository and qrl of the registry name of the image and the verify section provider, cosine and again storing the public key as the secret right and that's a wrap. Thank you for uh for listening and I hope you enjoy.

A

This talk where we demonstrated how you could verify cosine signatures for your communities, manifest not just for your container images as well for your kubernetes, manifest rendered as oci images more generically, um more specifically as an M chart and the three options Illustrated where, where we scriveno and the cube CTL plugin for kubernetes manifest.

A

Second one was with flex for M shot and the third one was still with drugs for oci images. So you have your option out there and you could add more security from within your security software supply chain and I hope you, you will uh be able to leverage some resources, I'm sharing as well.

A

So three first Links of some of my own experience, but I have been sharing about kind Runner about using Cloud, KMS and Coastline and policy controller and other talk about oci and githubs, and the last one from kerano and ecosystem, which is a more specific talk about the cube CTI plugin I mentioned during this talk again. I hope you are you enjoy this talk and I have a good rest of your conference.

A

Thank you. Everyone.

A

Foreign.