Verify container image signatures before deployment (Notary/cosign/Connaisseur) #13
Comments
mogul
changed the title
|
Adding some breadcrumbs, this looks like another area that is under development. When we pick up this story, we can re-evaluate options. Reading between the lines, I think registry providers (Amazon, Azure, Google, GitHub, etc) are not into Notary (v1) because the trust store is external from the registry. Notary v2 seems to be an effort to support signatures directly within the OCI artifact. Linux Foundation launched sigstore and has a tool cosign that supports GitHub Container Registry. Both Notary v2 and cosign seem to be on Connaisseur's radar. |
|
@adborden @mogul using the latest Connaisseur v2.0 release, it is possible to use either Notary (V1) or Cosign or both at the same time. Feel free to reach out if we can help! Always great to learn about use-cases in the wild |
|
Thanks for reaching out! |
|
Noting for later: Kyverno also implements this as part of a more general policy framework. It's pretty alpha and only supports cosign, though. |
mogul
changed the title
|
sigstore is now natively supported in GitHub Actions. |
|
Seems like maybe the existing Alpine image on which so much is based hasn't been signed for a while...? |
|
Cosign maintainer here, let me know if we can help at all! |
User Story
In order to ensure that images have not been tampered with before they are deployed, we want our EKS instances to verify the image signature in an admission controller hook using the Notary or cosign protocols.
Background
Here's the actual Connaisseur repository; it can be deployed using a Helm chart.
Demo
Sketch
We can/should also verify the signature of
helm_releaseresources used in brokerpaks.The text was updated successfully, but these errors were encountered: