Let images of kamada signed with cosign

[liangyuanpeng]

What would you like to be added:

More and more cloud native projects started adopting Sigstore for signing and verifying artefacts, also include kubernetes. Let images of kamada signed with cosign would be great.

Would be include two point:

• sign images of karmada components. Sign images #3434
• sign helm oci chart. feat:sign image for helm chart #3841
• doc to introduce add cosign verify images doc website#449
• doc for image of helm chart Update verify-artifact for helm chart website#473

Why is this needed:

It would be help with the implementation of supply chain security practices on the user side.

/assign

[RainbowMango]

Thanks @liangyuanpeng, I'm not familiar with the Sigstore, I need some time to investigate. By the way, can you share the example link from Kubernetes? And It would be great to have a chat at the community meeting.

[liangyuanpeng]

Thanks for your quick reply. :)

can you share the example link from Kubernetes?

Absolutely, kubernetes signed release images since v1.24.0.

https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/#signing-release-artifacts

And It would be great to have a chat at the community meeting.

I don't mind share it at meeting.

[RainbowMango]

I don't mind share it at meeting.

That'd be great! Please add an agenda to the meeting notes.

[liangyuanpeng]

Doc for metting

• https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/#signing-release-artifacts kubernetes sign release artifacts since 1.24
• https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/ 验证已签名容器镜像
• https://kyverno.io/docs/writing-policies/verify-images/#keyless-signing-and-verification
• 举例几个使用了cosign的CNCF项目: kubernetes argocd flux carvel

[zishen]

Doc for metting

• https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/#signing-release-artifacts kubernetes sign release artifacts since 1.24
• https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/ 验证已签名容器镜像
• https://kyverno.io/docs/writing-policies/verify-images/#keyless-signing-and-verification
• 举例几个使用了cosign的CNCF项目: kubernetes argocd flux carvel

I have test cosign by follow k8s doc:https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/ ,
But it doesnot work.
But it works by https://kyverno.io/docs/writing-policies/verify-images/#keyless-signing-and-verification, except "Verifying binary signatures".
The error is:
main.go:74: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

more error detail see: here

And I found there had blob: issue-2632].
So, can you help me to verify artifacts keyless?

[zishen]

Doc for metting

• https://kubernetes.io/blog/2022/05/03/kubernetes-1-24-release-announcement/#signing-release-artifacts kubernetes sign release artifacts since 1.24
• https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/ 验证已签名容器镜像
• https://kyverno.io/docs/writing-policies/verify-images/#keyless-signing-and-verification
• 举例几个使用了cosign的CNCF项目: kubernetes argocd flux carvel

I have test cosign by follow k8s doc:https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/ , But it doesnot work. But it works by https://kyverno.io/docs/writing-policies/verify-images/#keyless-signing-and-verification, except "Verifying binary signatures". The error is: main.go:74: error during command execution: --certificate-identity or --certificate-identity-regexp is required for verification in keyless mode

more error detail see: here

And I found there had blob: issue-2632]. So, can you help me to verify artifacts keyless?

It is works when I follow https://kubernetes.io/zh-cn/docs/tasks/administer-cluster/verify-signed-artifacts/ again.
k8s had repair these at May 15, 2023.