Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] Support TUF configuration for private and public Sigstore instances simultaneously #11618

Open
2 tasks done
EtienneDufresne opened this issue Nov 18, 2024 · 1 comment
Open
2 tasks done

[Feature] Support TUF configuration for private and public Sigstore instances simultaneously #11618

EtienneDufresne opened this issue Nov 18, 2024 · 1 comment
Assignees
@vishal-chdhry
Labels
enhancement New feature or request imageVerify Image verification support triage Default label assigned to all new issues indicating label curation is needed to fully organize.
Milestone
Kyverno Release 1...

Comments

@EtienneDufresne
Copy link

Problem Statement

When kyverno is configured to verify attestations produced from a private GitHub repositories (see this issue), it's not possible to have a ClusterPolicy that verifies images signed using keyless signing from a GitHub Action at the same time.

Solution Description

It would be good to have a way to configure kyverno to allow to override the TUF configuration to the GitHub private Sigstore instance for verification of attestations of artifacts from private repos but that would fallback to the public Sigstore instance when it's verifying image signature. Alternatively, a list of TUF overrides would work.

Alternatives

No response

Additional Context

Kyverno has a values.yaml override like the following :

features:
  tuf:
    enabled: true
    mirror: https://tuf-repo.github.com/
    rootRaw: ...

so I can have a ClusterPolicy that verifies attestations produced by GitHub's private Sigstore instance (see this issue).

Say I also want the ClusterPolicy to verify image signatures that were signed using keyless signing from a GitHub Action by adding this to verifyImages:

    - imageReferences:
      - "*"
      type: Cosign
      attestors:
        - entries:
            - keyless:
                issuer: https://token.actions.githubusercontent.com/
                subject: https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-and-sign-image.yaml@refs/heads/main
                rekor:
                  url: https://rekor.sigstore.dev/

When I helm install a chart that uses an image signed the GitHub keyless way way, I see this in logs:

**Warning** Missing fallback target fulcio.crt.pem, skipping
**Warning** Missing fallback target fulcio_v1.crt.pem, skipping
**Warning** Missing fallback target fulcio_intermediate_v1.crt.pem, skipping
{"level":"info","v":0,"logger":"cosign","error":"failed to get roots from fulcio: error getting targets: no matching targets by custom metadata, fallbacks not found: fulcio.crt.pem, fulcio_v1.crt.pem, fulcio_intermediate_v1.crt.pem","time":"2024-11-15T15:53:24Z","message":"image verification failed"}
{"level":"info","policy.name":"verify-signature-and-attestations","policy.namespace":"","policy.apply":"All","new.kind":"Deployment","new.namespace":"default","new.name":"my-component","rule.name":"autogen-verify-signature-and-attestations","v":0,"logger":"engine.verify","image":"ghcr.io/my-org/my-component:v0.0.70","verifiedCount":0,"requiredCount":1,"errors":".attestors[0].entries[0].keyless: failed to get roots from fulcio: error getting targets: no matching targets by custom metadata, fallbacks not found: fulcio.crt.pem, fulcio_v1.crt.pem, fulcio_intermediate_v1.crt.pem","time":"2024-11-15T15:53:24Z","message":"image attestors verification failed"}
{"level":"error","policy.name":"verify-signature-and-attestations","policy.namespace":"","policy.apply":"All","new.kind":"Deployment","new.namespace":"default","new.name":"my-component","rule.name":"autogen-verify-signature-and-attestations","error":".attestors[0].entries[0].keyless: failed to get roots from fulcio: error getting targets: no matching targets by custom metadata, fallbacks not found: fulcio.crt.pem, fulcio_v1.crt.pem, fulcio_intermediate_v1.crt.pem","logger":"engine.verify","image":"ghcr.io/my-org/my-component:v0.0.70","time":"2024-11-15T15:53:24Z","message":"failed to verify image"}

This is because, in the case of keyless image signature verification, the public Sigstore instance is used. How do I configure kyverno so it accepts both the GitHub private Signstore instance (for attestations) as well as the official public one (for image signatures)?

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1720769654925739

Research

  • I have read and followed the documentation AND the troubleshooting guide.
  • I have searched other issues in this repository and mine is not recorded.
@EtienneDufresne EtienneDufresne added enhancement New feature or request triage Default label assigned to all new issues indicating label curation is needed to fully organize. labels Nov 18, 2024
@welcome Welcome
Copy link

welcome bot commented Nov 18, 2024

Thanks for opening your first issue here! Be sure to follow the issue template!

@dosubot dosubot bot added the imageVerify Image verification support label Nov 18, 2024
@vishal-chdhry vishal-chdhry added this to the Kyverno Release 1.14.0 milestone Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@vishal-chdhry vishal-chdhry

Labels
enhancement New feature or request imageVerify Image verification support triage Default label assigned to all new issues indicating label curation is needed to fully organize.
Projects
None yet
Milestone
Kyverno Release 1.14.0
Development

No branches or pull requests
2 participants
@EtienneDufresne @vishal-chdhry