• Stars
    star
    182
  • Rank 211,154 (Top 5 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created about 3 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Artifact Ratification Framework

Ratify

Is a verification engine as a binary executable and on Kubernetes which enables verification of artifact security metadata and admits for deployment only those that comply with policies you create.

WARNING: This is not considered production-grade code by its developers, nor is it "supported" software.

Go Report Card build-pr OpenSSF Scorecard

Table of Contents

Community meetings

  • Agenda: https://hackmd.io/ABueHjizRz2iFQpWnQrnNA
  • We hold a weekly Ratify community meeting with alternating times to accommodate more time zones. Series #1 Wed 4:30-5:30pm Series #2 Wed 1-2pm Get Ratify Community Meeting Calendar here
  • We meet regularly to discuss and prioritize issues. The meeting may get cancelled due to holidays, all cancellation will be posted to meeting notes prior to the meeting.
  • Reach out on Slack at cloud-native.slack.com#ratify. If you're not already a member of cloud-native slack channel, first add yourself here.

Pull Request Review Series

  • We hold a weekly Ratify Pull Request Review Series on Mondays 5-6 pm PST.
  • People are able to use this time to walk through any Pull Requests and seek feedback from others in the Community. If there are no PR to review, the meeting will be cancelled during that week.
  • Reach out on Slack if you want to reserve a session for review or during our weekly community meetings.

Quick Start

Try out ratify in Kubernetes through Gatekeeper as the admission controller.

Prerequisites:

  • Kubernetes v1.20 or higher
  • OPA Gatekeeper v3.10 or higher

Step 1: Setup Gatekeeper with external data

NOTE: If you have added Helm repository for Gatekeeper and Ratify, you can update them by executing helm repo update before installation.

helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts

helm install gatekeeper/gatekeeper  \
    --name-template=gatekeeper \
    --namespace gatekeeper-system --create-namespace \
    --set enableExternalData=true \
    --set validatingWebhookTimeoutSeconds=5 \
    --set mutatingWebhookTimeoutSeconds=2

NOTE: validatingWebhookTimeoutSeconds and mutationWebhookTimeoutSeconds increased from 3 to 5 and 1 to 2 respectively, so all Ratify operations complete in complex scenarios. See discussion here to remove this requirement. Kubernetes v1.20 or higher is REQUIRED to increase timeout. Timeout is configurable in helm chart under provider.timeout section.

Step 2: Deploy ratify on gatekeeper in the default namespace.

  • Option 1: Install the last released version of Ratify

Note: if the crt/key/cabundle are NOT set under provider.tls in values.yaml, helm would generate a CA certificate and server key/certificate for you.

helm repo add ratify https://deislabs.github.io/ratify
# download the notary verification certificate
curl -sSLO https://raw.githubusercontent.com/deislabs/ratify/main/test/testdata/notary.crt
helm install ratify \
    ratify/ratify --atomic \
    --namespace gatekeeper-system \
    --set-file notaryCert=./notary.crt
  • Option 2: Install ratify with charts from your local branch.
    Note: Latest chart in main may not be compatible with the last released version of ratify image, learn more about weekly dev builds here
git clone https://github.com/deislabs/ratify.git
cd ratify
helm install ratify \
    ./charts/ratify --atomic \
    --namespace gatekeeper-system \
    --set-file notaryCert=./test/testdata/notary.crt

Step 3: See Ratify in action

  • Deploy a demo constraint.
kubectl apply -f https://deislabs.github.io/ratify/library/default/template.yaml
kubectl apply -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml

Once the installation is completed, you can test the deployment of an image that is signed using Notary V2 solution.

  • This will successfully create the pod demo
kubectl run demo --image=wabbitnetworks.azurecr.io/test/notary-image:signed
kubectl get pods demo

Optionally you can see the output of the pod logs via: kubectl logs demo

  • Now deploy an unsigned image
kubectl run demo1 --image=wabbitnetworks.azurecr.io/test/notary-image:unsigned

You will see a deny message from Gatekeeper denying the request to create it as the image doesn't have any signatures.

Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: wabbitnetworks.azurecr.io/test/net-monitor:unsigned

You just validated the container images in your k8s cluster!

Step 4: Uninstall Ratify

Notes: Helm does NOT support upgrading CRDs, so uninstalling Ratify will require you to delete the CRDs manually. Otherwise, you might fail to install CRDs of newer versions when installing Ratify.

kubectl delete -f https://deislabs.github.io/ratify/library/default/template.yaml
kubectl delete -f https://deislabs.github.io/ratify/library/default/samples/constraint.yaml
helm delete ratify --namespace gatekeeper-system
kubectl delete crd stores.config.ratify.deislabs.io verifiers.config.ratify.deislabs.io certificatestores.config.ratify.deislabs.io

Notes

If the image reference provided resolves to an OCI Index or a Docker Manifest List, validation will occur ONLY at the index or manifest list level. Ratify currently does NOT support image validation based on automatic platform selection. For more information, see this issue.

Documents

The docs folder contains the beginnings of a formal specification for the Reference Artifact Verification framework and its plugin model.

Meeting notes for weekly project syncs can be found here

Code of Conduct

This project has adopted the Microsoft Open Source Code of Conduct.

For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

Release Management

The Ratify release process is defined in RELEASES.md.

Licensing

This project is released under theΒ Apache-2.0 License.

Trademark

This project may contain trademarks or logos for projects, products, or services. Authorized use of Microsoft trademarks or logos is subject to and must follow Microsoft's Trademark & Brand Guidelines. Use of Microsoft trademarks or logos in modified versions of this project must not cause confusion or imply Microsoft sponsorship. Any use of third-party trademarks or logos are subject to those third-party's policies.

More Repositories

1

wagi

Write HTTP handlers in WebAssembly with a minimal amount of work
Rust
882
star
2

osiris

A general purpose, scale-to-zero component for Kubernetes
Go
463
star
3

hippo

The WebAssembly Platform
TypeScript
414
star
4

spiderlightning

A set of WIT definitions and associated implementations to enable app developers to work at a faster pace and require less knowledge of the environment in which they are executing.
Rust
309
star
5

containerd-wasm-shims

containerd shims for running WebAssembly workloads in Kubernetes
Rust
305
star
6

bindle

Bindle: Object Storage for Collections
Rust
263
star
7

mystikos

Tools and runtime for launching unmodified container images in Trusted Execution Environments
C
142
star
8

wasi-experimental-http

Experimental outbound HTTP support for WebAssembly and WASI
Rust
135
star
9

example-bundles

CNAB bundles
JavaScript
85
star
10

yo-wasm

Yeoman generator for Rust projects intended to build to WASM in OCI registries
TypeScript
63
star
11

kc-eu-2023-k8s-wasm-microservices

JavaScript
49
star
12

wasi-nn-onnx

Experimental ONNX implementation for WASI NN.
Rust
47
star
13

image-layer-provenance

Container image provenance spec that allows tracing CVEs detected in registry images back to a CVE's source of origin.
Go
40
star
14

wagi-fileserver

A static file server for Wagi written in Grain
Makefile
32
star
15

wagi-dotnet

WAGI allows you to run WebAssembly WASI binaries as HTTP handlers. WAGI-dotnet provides an extension that enables these handlers to be run in an ASP.Net Core application
C#
29
star
16

helm-workshop

Helm workshop for KubeCon Seattle 2018
26
star
17

kind-vscode

Integrating the Kind local Kubernetes cluster into Visual Studio Code
TypeScript
22
star
18

hippo-cli

The Hippo CLI
Rust
19
star
19

krustlet-wasm3

Krustlet provider for the wasm3 runtime.
Rust
18
star
20

wasm-linker-js

A simple WebAssembly Linker in JavaScript
TypeScript
17
star
21

duffle-vscode

VS Code extension for Duffle, the CNAB installer
TypeScript
14
star
22

cnab-workshop

CNAB / Duffle workshop for KubeCon Seattle 2018
13
star
23

krustlet-wagi-provider

A Krustlet Provider for WAGI modules.
Rust
12
star
24

cnab-netstandard

.NET Standard 2.0 Client Library for CNAB
C#
12
star
25

duffle-bag

GUI tooling for CNAB bundles
TypeScript
10
star
26

hello-wagi-as

Write an HTTP responder in AssemblyScript using WASI
TypeScript
9
star
27

kubernetes-opa-vscode

A VS Code extension for working with Open Policy Agent in Kubernetes
TypeScript
8
star
28

wok

WASM on Kubernetes (WOK)
Rust
8
star
29

microk8s-vscode

Integrating the Microk8s local Kubernetes cluster into Visual Studio Code
TypeScript
8
star
30

wagi-azure-samples

WebAssembly modules that use Azure services
Rust
8
star
31

gatekeeper-vscode

Rapidly develop and test Gatekeeper policies in Visual Studio Code
TypeScript
8
star
32

dapr-wasm-exp

Dapr + Wasm experiments
Go
8
star
33

deislabs.io

Info about Deis Labs. Open Source from Microsoft Azure.
Sass
7
star
34

cnab-operator

Experimental CNAB operator for Kubernetes. WIP.
Go
7
star
35

env_wagi

An environment dumper, implemented as a WebAssembly Gateway Interface module (WASI)
Rust
7
star
36

gnarly

Go
7
star
37

magick8sball.io

companion site for the magic k8s ball ✨
SCSS
7
star
38

dwaft

A tool to make building and debugging WASM for outside the browser a breeze
Rust
6
star
39

pilothouse

Experimenting with Helm in Rust
Rust
6
star
40

wagi-examples

TypeScript
6
star
41

cnab-azure-driver

Azure CNAB Driver
Go
6
star
42

ratify-web

MDX
6
star
43

vscode-kubernetes-access-viewer

TypeScript
6
star
44

hello-wagi-grain

An example of using the Grain language to write Wagi modules
5
star
45

duffle-coat

VS Code extension for generating CNAB self-installers
TypeScript
5
star
46

rusty-macaroon

A Macaroon implementation in Rust
Rust
4
star
47

cnab-dashboard

HTML
2
star
48

bindle-dotnet

A Bindle client for the .NET runtime
C#
2
star
49

cnab-voting-app-demos

CNAB Voting App Demos
Makefile
2
star
50

art

Original vectors for our projects logos and graphics
2
star
51

kubectl-output-parser

Functions for parsing kubectl output
TypeScript
2
star
52

hippo-docs

Website for Hippo
HTML
2
star
53

ratify-verifier-plugin

Go
2
star
54

echo-provider

A simple waSCC provider for testing
Rust
2
star
55

draft-brigade-workshop

Draft / Brigade workshop for KubeCon
JavaScript
1
star
56

bindle-js

A TypeScript/JavaScript Bindle client
TypeScript
1
star
57

azure-sdk-for-rust-wasi-samples

Rust
1
star
58

hippo-client-rust

A Rust client library for Hippo
Rust
1
star
59

ratify-action

Ratify Github Action
Shell
1
star
60

spiderlightning-gh-latest-commits-demo

Rust
1
star
61

bindle-server-azure

An azure storage implementation and server for Bindle
Rust
1
star
62

wagi-fileserver-c

A static file server for Wagi written in C
Makefile
1
star
63

duffle.sh

much ado about duffle
SCSS
1
star