Light

appvia / cosign-keyless-admission-webhook Goto Github PK

View Code? Open in Web Editor NEW

22.0 1.0 1.0 157 KB

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

License: MIT License

Dockerfile 13.81% JavaScript 86.19%

hacktoberfest cosign sigstore oidc container-security kubernetes kubernetes-admission-webhook

cosign-keyless-admission-webhook's Introduction

Cosign keyless Kubernetes admission webhook

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

Installation

# if you don't already have cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml

kubectl apply -k https://github.com/appvia/cosign-keyless-admission-webhook

Usage

In the pod spec you set an annotation(s) of subject.cosign.sigstore.dev/CONTAINER_NAME^* to the subject of the certificate and also set the issuer.cosign.sigstore.dev/CONTAINER_NAME^* to the Issuer.

*CONTAINER_NAME is the name of the container from your pod specification.

Full example

apiVersion: v1
kind: Pod
metadata:
  annotations:
    subject.cosign.sigstore.dev/demo: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
    issuer.cosign.sigstore.dev/demo: https://token.actions.githubusercontent.com
    subject.cosign.sigstore.dev/demoagain: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
    issuer.cosign.sigstore.dev/demoagain: https://token.actions.githubusercontent.com
  name: cosign-keyless-demo
spec:
  containers:
    - image: ghcr.io/chrisns/cosign-keyless-demo:latest
      name: demo
    - image: ghcr.io/chrisns/cosign-keyless-demo:latest
      name: demoagain

🚨🚨🚨 WHY THIS MAY NOT WORK FOR YOU 🚨🚨🚨

Won't work, at least out the box with private registries or ones that just require authentication, you'll have to wire the credentials up to deployment's secrets

cosign-keyless-admission-webhook's People

Contributors

Stargazers

Watchers

Forkers

gobars

cosign-keyless-admission-webhook's Issues

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

dockerfile

Dockerfile

ghcr.io/sigstore/cosign/cosign latest@sha256:33a6a55d2f1354bc989b791974cf4ee00a900ab9e4e54b393962321758eee3c6

node 18.6.0-alpine@sha256:cd8f5b451e927f3c5c92016cfaf9d6805999faeded64486d8f76c9d4ef6f1b5c

github-actions

.github/workflows/ci.yml

actions/checkout v3.0.2@2541b1294d2704b0964813337f33b291d3f8596b

docker/login-action v2.0.0@49ed152c8eca782a232dede0303416e8f356c37b

docker/metadata-action v4.0.1@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a

docker/setup-buildx-action v2@dc7b9719a96d48369863986a06765841d7ea23f6

docker/build-push-action v3.0.0@e551b19e49efd4e98792db7592c17c09b89db8d8

helm/kind-action d08cf6ff1575077dee99962540d77ce91c62387d

docker/build-push-action v3.0.0@e551b19e49efd4e98792db7592c17c09b89db8d8

docker/login-action v2.0.0@49ed152c8eca782a232dede0303416e8f356c37b

sigstore/cosign-installer v2.4.1@48866aa521d8bf870604709cd43ec2f602d03ff2

.github/workflows/security.yml

actions/checkout v3.0.2@2541b1294d2704b0964813337f33b291d3f8596b

github/codeql-action v2@3e7e3b32d0fb8283594bb0a76cc60a00918b0969

github/codeql-action v2@3e7e3b32d0fb8283594bb0a76cc60a00918b0969

github/codeql-action v2@3e7e3b32d0fb8283594bb0a76cc60a00918b0969

actions/checkout v3.0.2@2541b1294d2704b0964813337f33b291d3f8596b

ShiftLeftSecurity/scan-action master

github/codeql-action v2@3e7e3b32d0fb8283594bb0a76cc60a00918b0969

npm

package.json

express ^4.17.2

localtunnel 2.0.2

Check this box to trigger a request for Renovate to run again on this repository

Recommend Projects

React

A declarative, efficient, and flexible JavaScript library for building user interfaces.
Vue.js

🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript

TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
TensorFlow

An Open Source Machine Learning Framework for Everyone
Django

The Web framework for perfectionists with deadlines.
Laravel

A PHP framework for web artisans
D3

Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

javascript

JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
web

Some thing interesting about web. New door for the world.
server

A server is a program made to process requests and deliver data to clients.
Machine learning

Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Visualization

Some thing interesting about visualization, use data art
Game

Some thing interesting about game, make everyone happy.

Recommend Org

Facebook

We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft

Open source projects and samples from Microsoft.
Google

Google ❤️ Open Source for everyone.
Alibaba

Alibaba Open Source for everyone
D3

Data-Driven Documents codes.
Tencent

China tencent open source team.