UNCLASSIFIED - NO CUI

Skip to content

Resolve `require-image-signature` policy doesn't work in egress limited/airgapped envs

Noah Birrer requested to merge 61-fix-img-signature-policy into main

General MR

Summary

sets ctlog.ignoreSCT: true in the require-image-signature policy which allows the policy to work as intended in airgapped/egress limited environments.

Relevant logs/screenshots

See example of current behavior in this issue: big-bang/bigbang#1821 (comment 1741025)

Example below shows running a pod in an environment that does not have access to sigstore's public rekor instance:

time kubectl run test --image=registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.0 --dry-run=server                                                           
pod/test created (server dry run)
kubectl run test  --dry-run=server  0.04s user 0.02s system 6% cpu 0.910 total

kyverno admission controller logs:

kyverno-admission-controller-5997fbb54d-dsg7z kyverno 2023-12-14T17:21:48.881497405-05:00 I1214 22:21:48.881347       1 imageverifier.go:265] engine.verify "msg"="cache entry not found" "imageRef"="registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.0" "namespace"="" "new.kind"="Pod" "new.name"="test" "new.namespace"="default" "policy"="require-image-signature" "policy.apply"="All" "policy.name"="require-image-signature" "policy.namespace"="" "rule.name"="verify-image" "ruleName"="verify-image"
kyverno-admission-controller-5997fbb54d-dsg7z kyverno 2023-12-14T17:21:48.881557956-05:00 I1214 22:21:48.881426       1 imageverifier.go:321] engine.verify "msg"="verifying image signatures" "attestations"=0 "attestors"=1 "image"="registry1.dso.mil/ironbank/opensource/grafana/loki:2.9.0" "new.kind"="Pod" "new.name"="test" "new.namespace"="default" "policy.apply"="All" "policy.name"="require-image-signature" "policy.namespace"="" "rule.name"="verify-image"
kyverno-admission-controller-5997fbb54d-dsg7z kyverno 2023-12-14T17:21:49.234334729-05:00 I1214 22:21:49.234176       1 imageverifier.go:489] engine.verify "msg"="image attestors verification succeeded" "new.kind"="Pod" "new.name"="test" "new.namespace"="default" "policy.apply"="All" "policy.name"="require-image-signature" "policy.namespace"="" "requiredCount"=1 "rule.name"="verify-image" "verifiedCount"=1
kyverno-admission-controller-5997fbb54d-dsg7z kyverno 2023-12-14T17:21:49.238518422-05:00 I1214 22:21:49.238384       1 event_broadcaster.go:318] "Event occurred" object="require-image-signature" kind="ClusterPolicy" apiVersion="kyverno.io/v1" type="Normal" reason="PolicyApplied" action="Resource Passed" note="Pod default/test: pass"
kyverno-admission-controller-5997fbb54d-dsg7z kyverno 2023-12-14T17:21:49.257034652-05:00 I1214 22:21:49.256889       1 validation.go:108] webhooks/resource/validate "msg"="validation passed" "action"="validate" "clusterroles"=["cluster-admin","system:basic-user","system:discovery","system:public-info-viewer"] "gvk"={"group":"","version":"v1","kind":"Pod"} "gvr"={"group":"","version":"v1","resource":"pods"} "kind"="Pod" "name"="test" "namespace"="default" "operation"="CREATE" "policy"="require-image-signature" "resource"="default/Pod/test" "resource.gvk"={"Group":"","Version":"v1","Kind":"Pod"} "roles"=null "uid"="4e8dc961-4455-4137-9076-22592bb22905" "user"={"username":"system:admin","groups":["system:masters","system:authenticated"]}

Closes #61 (closed)

Edited by Noah Birrer

Merge request reports

UNCLASSIFIED - NO CUI