container-image-sign-and-verify-with-cosign-and-opa icon indicating copy to clipboard operation
container-image-sign-and-verify-with-cosign-and-opa copied to clipboard

Published 20 hours ago verified publisher icon developer-guy

How to use this with Gatekeeper

Open marcofranssen opened this issue 3 years ago • 4 comments

I'm wondering if I can use this with Gatekeeper and if any guidance could be provided to load this into gatekeeper.

I'm very new to OPA and Gatekeeper, so that is the origin of this request.

marcofranssen avatar Aug 16 '21 15:08 marcofranssen

Hi there, I am trying to do the same thing as well. I am new to OPA/Gatekeeper/Kubernetes, but what I understand so far is that I need to create a ContraintTemplate and a constraint with the Rego policy and apply it on the kubernetes cluster.

If someone could please provide an example of what the Constraint Template and constraint looks like, I would really appreciate it.

Also I am not sure how the line cosignHTTPWrapperURL := "http://localhost:8080/verify" will change if it's on Kubernetes. What will the url be? For example, I want to deploy 1 pod with the cosign-wrapper golang api, and then the gatekeeper pod. How do these two communicate with each other?

@marcofranssen were you ever able to figure this out?

csongpaxos avatar Oct 19 '21 20:10 csongpaxos

@csongpaxos haven't tried it yet.

Regarding your k8s question. Within k8s you have services, those will have according dns records.

So e.g.:

http://cosign-service.your-namespace/verify should be possible if you have a service named cosign-service in a namespace your-namespace. Of course this service has to listen on port 80 and forward the traffic to the pod running on port 8080.

marcofranssen avatar Oct 20 '21 13:10 marcofranssen

Thanks @marcofranssen, that makes a lot of sense. What I am trying to figure out now is the proper syntax for the ConstraintTemplate. I am not sure whether I can simply paste the rego directly into the rego block. Also I am unsure of what the openAPIV3Schema should look like. Do you have any ideas?

---
apiVersion: templates.gatekeeper.sh/v1beta1
kind: ConstraintTemplate
metadata:
  name: signatureverify
spec:
  crd:
    spec:
      names:
        kind: SignatureVerify
      validation:
        # Schema for the `parameters` field
        openAPIV3Schema:
          properties:
                image:
                  type: string
  targets:
    - target: admission.k8s.gatekeeper.sh
      rego: |
          package signature

          default verified = false


          # send HTTP POST request to cosign-wrapper
          verified {
              # read the `image` from the `input` that will be verified
              body := { "image": input.image }
              
              # hardcoded consts
              headers_json := { "Content-Type": "application/json" }
              #cosignHTTPWrapperURL := "http://localhost:8080/verify"
              cosignHTTPWrapperURL := http://cosign-wrapper-api.mgmt.svc.cluster.local/verify



              # send HTTP POST request to cosign-wrapper
              output := http.send({"method": "post", "url": cosignHTTPWrapperURL, "headers": headers_json, "body": body})
              
              # check if result verified
              output.body.verified
          }

---

csongpaxos avatar Oct 20 '21 13:10 csongpaxos

@csongpaxos nope sorry didn't went into opa and those topics yet to figure out how to configure it.

marcofranssen avatar Oct 25 '21 10:10 marcofranssen