docker/attest-provider
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
f91a423ef66d4ff284ddc42c3beaf8cd2468dfe3
attest-provider/README.md
mrjoelkamp f91a423ef6 merge poc
2024-05-23 10:52:35 -05:00

3.4 KiB
Raw Blame History

Attest External Data Provider

OPA Gatekeeper external data provider implementation for Docker attest library image attestation verification.

Prerequisites

Quick Start

  1. Create a kind cluster.

  2. Install the latest version of Gatekeeper and enable the external data feature.

# Add the Gatekeeper Helm repository
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts

# Install the latest version of Gatekeeper with the external data feature enabled.
helm install gatekeeper/gatekeeper \
    --set enableExternalData=true \
    --name-template=gatekeeper \
    --namespace security \
    --create-namespace
  1. Build and deploy the external data provider.
git clone https://github.com/docker/attest-external-data-provider.git
cd attest-external-data-provider

# if you are not planning to establish mTLS between the provider and Gatekeeper,
# deploy the provider to a separate namespace. Otherwise, do not run the following command
# and deploy the provider to the same namespace as Gatekeeper.
export NAMESPACE=security

# generate a self-signed certificate for the external data provider
./scripts/generate-tls-cert.sh

# build the image via docker buildx
make docker-buildx

# load the image into kind
make kind-load-image

# Choose one of the following ways to deploy the external data provider:

# 1. client and server auth enabled (recommended)
helm install attest-provider charts/external-data-provider \
    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
    --namespace "${NAMESPACE:-gatekeeper-system}"

# 2. client auth disabled and server auth enabled
helm install attest-provider charts/external-data-provider \
    --set clientCAFile="" \
    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
    --namespace "${NAMESPACE:-gatekeeper-system}" \
    --create-namespace

4a. Install constraint template and constraint.

```bash
kubectl apply -f validation/attest-constraint-template.yaml
kubectl apply -f validation/attest-constraint.yaml

4b. Test the external data provider by dry-running the following command:

kubectl create ns test
kubectl run nginx -n test --dry-run=server -ojson

Gatekeeper should deny the pod admission above because the image nginx is missing signed annotations but has an image policy in tuf-staging.

TODO: implement mutating policy (tag -> digest)

  1. Uninstall the external data provider and Gatekeeper.
kubectl delete -f validation/
# kubectl delete -f mutation/ TODO: implement mutation
helm uninstall attest-provider --namespace "${NAMESPACE:-gatekeeper-system}"
helm uninstall gatekeeper --namespace security