SPIKE: Research IB Image Signing and Verification

Determine the process for verifying signed images from IB. AC:

• issues with weights created within the epic needed to enforce verified images from IB

added to epic &102 (closed)

changed the description

added triage-kind label

added triage-priority label

Seems that there is already a kyverno policy for this that is disabled by default in bigbang.

I imagine it won't work unless we get public cert for validation in right? This might still require, testing and validation but great that there is already a policy!

Good point! I forgot to include the link for where the public cert is baked in. I'll get a test environment running with this policy enabled and report back

set weight to 1

changed iteration to Big Bang Iterations Oct 3, 2023 - Oct 16, 2023

removed triage-kind label

removed triage-priority label

added kindenhancement statusreview labels

removed statusreview label

added priority6 label

Enabling on a test environment shows that the policy does work as intended in audit mode. Noting that the policy has failed in each namespace. Updated to latest version of Kyverno in BB (1.10.3) and am seeing successful scans now:

$ k get policyreport -A | grep cpol-require-image-signature
NAME                                                      PASS   FAIL   WARN   ERROR   SKIP   AGE                                                                                                        
flux-system        cpol-require-image-signature           6      6      0      0       0      12m
istio-operator     cpol-require-image-signature           3      0      0      0       0      12m
istio-system       cpol-require-image-signature           6      0      0      0       0      11m
metrics-server     cpol-require-image-signature           4      0      0      0       0      8m10s
kiali              cpol-require-image-signature           3      0      0      0       0      8m3s
logging            cpol-require-image-signature           2      0      0      0       0      8m1s
monitoring         cpol-require-image-signature           18     0      0      0       0      10m
tempo              cpol-require-image-signature           2      0      0      0       0      7m14s
kyverno-reporter   cpol-require-image-signature           3      0      0      0       0      6m20s
kyverno            cpol-require-image-signature           8      12     0      0       0      12m
neuvector          cpol-require-image-signature           22     0      0      0       0      6m37s
promtail           cpol-require-image-signature           5      0      0      0       0      6m2s
$
$ helm ls -A                                                                                                                                                           
NAME                             	NAMESPACE       	REVISION	UPDATED                                	STATUS  	CHART                       	APP VERSION
bigbang                          	bigbang         	1       	2023-10-06 12:52:16.41504 -0400 EDT    	deployed	bigbang-2.12.0
istio-operator-istio-operator    	istio-operator  	1       	2023-10-06 16:54:02.427741654 +0000 UTC	deployed	istio-operator-1.19.0-bb.1  	1.19.0
istio-system-istio               	istio-system    	1       	2023-10-06 16:54:35.792909282 +0000 UTC	deployed	istio-1.19.0-bb.1           	1.19.0
kiali-kiali                      	kiali           	1       	2023-10-06 16:58:12.814070447 +0000 UTC	deployed	kiali-1.72.0-bb.2           	1.72.0
kyverno-kyverno                  	kyverno         	1       	2023-10-06 16:52:35.094150206 +0000 UTC	deployed	kyverno-3.0.0-bb.4          	v1.10.3
kyverno-kyverno-policies         	kyverno         	1       	2023-10-06 16:53:32.019920336 +0000 UTC	deployed	kyverno-policies-3.0.4-bb.0 	v1.10.3
kyverno-reporter-kyverno-reporter	kyverno-reporter	1       	2023-10-06 16:59:58.039819095 +0000 UTC	deployed	kyverno-reporter-2.16.0-bb.4	2.12.0
logging-loki                     	logging         	1       	2023-10-06 16:58:11.71470101 +0000 UTC 	deployed	loki-5.23.1-bb.0            	2.9.1
metrics-server                   	metrics-server  	1       	2023-10-06 16:58:11.481489219 +0000 UTC	deployed	metrics-server-3.10.0-bb.2  	v0.6.3
monitoring-grafana               	monitoring      	1       	2023-10-06 16:58:12.036558327 +0000 UTC	deployed	grafana-6.58.9-bb.4         	10.0.3
monitoring-monitoring            	monitoring      	1       	2023-10-06 16:55:14.837028227 +0000 UTC	deployed	monitoring-51.1.0-bb.0      	v0.68.0
promtail-promtail                	promtail        	1       	2023-10-06 17:00:21.741503201 +0000 UTC	deployed	promtail-6.15.0-bb.1        	v2.9.1
tempo-tempo                      	tempo           	1       	2023-10-06 16:59:10.659530719 +0000 UTC	deployed	tempo-1.6.1-bb.1            	2.2.2

assigned to @noahbirrer

Setting to Enforce mode does work as expected:

$ kubectl run test -n default --dry-run=server --image=registry1.dso.mil/ironbank/opensource/kubernetes-1.17/kubectl-1.17@sha256:d3ea65a16986ae3d1ce12a2f8d65bf795b26eaca2d8f69b54d595b7ea528b47c -- sleep 9
999
Error from server: admission webhook "mutate.kyverno.svc-fail" denied the request:

resource Pod/default/test was blocked due to the following policies

require-image-signature:
  verify-image: |
    failed to verify image registry1.dso.mil/ironbank/opensource/kubernetes-1.17/kubectl-1.17@sha256:d3ea65a16986ae3d1ce12a2f8d65bf795b26eaca2d8f69b54d595b7ea528b47c: .attestors[0].entries[0].keys: no matching signatures

Setting to Audit mode does work as expected:

$ kubectl run test -n logging --dry-run=server --image=registry1.dso.mil/ironbank/opensource/kubernetes-1.17/kubectl-1.17@sha256:d3ea65a16986ae3d1ce12a2f8d65bf795b26eaca2d8f69b54d595b7ea528b47c -- sleep 9
999
Warning: policy require-image-signature.verify-image: unverified image registry1.dso.mil/ironbank/opensource/kubernetes-1.17/kubectl-1.17@sha256:d3ea65a16986ae3d1ce12a2f8d65bf795b26eaca2d8f69b54d595b7ea528b47c
pod/test created (server dry run)

added statusdoing label

closing in favor of #1777 (closed)

closed