kelseyhightower/grafeas-tutorial kelseyhightower/grafeas-tutorial

  • Stars
    star
    191
  • Rank 195,719 (Top 4 %)
  • Language
    Go
  • License
    Apache License 2.0
  • Created over 6 years ago
  • Updated over 5 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
kelseyhightower/grafeas-tutorial
github

kelseyhightower

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A step by step guide for getting started with Grafeas and Kubernetes.

Grafeas Tutorial

This tutorial will guide you through testing Grafeas. In it, you will create a Kubernetes cluster configured to only allow container images signed by a specific key, configurable via a configmap. Container image signatures will be stored in Grafeas. To make sure only signed images are allowed, you will start an admission plugin service which finds signatures in Grafeas and verifies them.

Check out the Introducing Grafeas blog post for additional context.

Tutorial

Prerequisites

Clone this repository:

git clone https://github.com/kelseyhightower/grafeas-tutorial.git

cd grafeas-tutorial

The remainder of this tutorial assumes you are in the grafeas-tutorial directory.

Infrastructure

A Kubernetes 1.9+ cluster is required with support for the ValidatingAdmissionWebhook alpha feature enabled.

If you have access to Google Kubernetes Engine use the gcloud command to create a 1.9.1 Kubernetes cluster:

gcloud alpha container clusters create grafeas \
  --enable-kubernetes-alpha \
  --cluster-version 1.9.1-gke.0

Any Kubernetes 1.9 cluster with support for validating admission webhooks will work.

Deploy the Grafeas Server

Grafeas is an open artifact metadata API to audit and govern your software supply chain. In this tutorial Grafeas will be used to store container image signatures.

Create the Grafeas server deployment:

kubectl apply -f kubernetes/grafeas.yaml

While in early alpha the Grafeas server leverages an in-memory data store. If the Grafeas server is ever restarted all image signature must be repopulated.

Generating GPG Signing Keys

In this section you will generate a gpg keypair suitable for signing container image metadata.

Install gpg for you platform:

OS X

brew install gpg2

Linux

apt-get install gnupg

Once gpg has been installed generate a signing key:

gpg --quick-generate-key --yes [email protected]

Retrive the ID of the signing key:

gpg --list-keys --keyid-format short

------------------------------------
pub   rsa2048/0CD9D96F 2017-10-17 [SC] [expires: 2019-10-17]
      510CE141B559A243439EB18926CE52D30CD9D96F
uid         [ultimate] [email protected]
sub   rsa2048/2C216B83 2017-10-17 [E]

Based on the above output the key ID is 0CD9D96F. Your key ID will be different.

Store the ID of your signing key in the GPG_KEY_ID env var:

GPG_KEY_ID="0CD9D96F"

Signing Container Image Metadata

Container images tend to range in size from a few megabytes to multiple gigabytes. Signing and distributing container images can be quite resource intensive so we are going to opt for signing the image digest which uniquely identifies a container image.

In this tutorial the gcr.io/hightowerlabs/echod container image will be used for testing. Instead of trusting an image tag such 0.0.1, which can be reused and point to a different container image later, we are going to trust the image digest.

cat image-digest.txt

sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887

Sign the image digest text file:

gpg -u [email protected] \
  --armor \
  --clearsign \
  --output=signature.gpg \
  image-digest.txt

Verify the signature:

gpg --output - --verify signature.gpg

sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887
gpg: Signature made Tue Oct 17 09:11:53 2017 PDT
gpg:                using RSA key 510CE141B559A243439EB18926CE52D30CD9D96F
gpg:                issuer "[email protected]"
gpg: Good signature from "[email protected]" [ultimate]

In order for others to verify signed images they must trust and have access to the image signer's public key. Export the image signer's public key:

gpg --armor --export [email protected] > ${GPG_KEY_ID}.pub

Create a pgpSignedAttestation Occurrence

Now that we have a signed container image, and a public key to verify it, we need to create a pgpSignedAttestation occurrence using the Grafeas API.

In a new terminal create a secure tunnel to the grafeas server:

kubectl port-forward \
  $(kubectl get pods -l app=grafeas -o jsonpath='{.items[0].metadata.name}') \
  8080:8080

Create the production attestationAuthority note:

curl -X POST \
  "http://127.0.0.1:8080/v1alpha1/projects/image-signing/notes?noteId=production" \
  -d @note.json

Generate an pgpSignedAttestation occurrence:

GPG_SIGNATURE=$(cat signature.gpg | base64)

RESOURCE_URL="https://gcr.io/hightowerlabs/echod@sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887"

cat > occurrence.json <<EOF
{
  "resourceUrl": "${RESOURCE_URL}",
  "noteName": "projects/image-signing/notes/production",
  "attestation": {
    "pgpSignedAttestation": {
       "signature": "${GPG_SIGNATURE}",
       "contentType": "application/vnd.gcr.image.url.v1",
       "pgpKeyId": "${GPG_KEY_ID}"
    }
  }
}
EOF

Post the pgpSignedAttestation occurrence:

curl -X POST \
  'http://127.0.0.1:8080/v1alpha1/projects/image-signing/occurrences' \
  -d @occurrence.json

At this point the gcr.io/hightowerlabs/echod container image can be verified through the Grafeas API.

Only the gcr.io/hightowerlabs/echod container image identified by the sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887 image digest and be verified by the Grafeas API. Additional images require a new occurrence.

Deploy the Image Signature Webhook

Create the image-signature-webhook configmap and store the image signer's public key:

kubectl create configmap image-signature-webhook \
  --from-file ${GPG_KEY_ID}.pub

kubectl get configmap image-signature-webhook -o yaml

Create the tls-image-signature-webhook secret and store the TLS certs:

kubectl create secret tls tls-image-signature-webhook \
  --key pki/image-signature-webhook-key.pem \
  --cert pki/image-signature-webhook.pem

Create the image-signature-webhook deployment:

kubectl apply -f kubernetes/image-signature-webhook.yaml

Create the image-signature-webook ValidatingWebhookConfiguration:

kubectl apply -f kubernetes/validating-webhook-configuration.yaml

After you create the validating webhook configuration, the system will take a few seconds to honor the new configuration.

Testing the Admission Webhook

Attempt to run the nginx:1.13 container image which does not have an pgpSignedAttestation occurrence in the Grafeas API. Create the nginx pod:

kubectl apply -f pods/nginx.yaml

Notice the nginx pod was not created and the follow error was returned:

The  "" is invalid: : No matched signatures for container image: nginx:1.13

Attempt to run the gcr.io/hightowerlabs/echod@sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887 container image which has an pgpSignedAttestation occurrence in the Grafeas API.

kubectl apply -f pods/echod.yaml 

pod "echod" created

At this point the following pods should be running in your cluster:

kubectl get pods

NAME                                       READY     STATUS    RESTARTS   AGE
echod                                      1/1       Running   0          5m
grafeas-5b5759cbcf-lx8r5                   1/1       Running   0          12m
image-signature-webhook-6cc7d6bd74-55blt   1/1       Running   0          8m

Notice the nginx pod was not created because the nginx:1.13 container image was not verified by the image signature webhook.

Cleanup

Run the following commands to remove the Kubernetes resources created during this tutorial:

kubectl delete deployments grafeas image-signature-webhook
kubectl delete pods echod
kubectl delete svc grafeas image-signature-webhook
kubectl delete secrets tls-image-signature-webhook
kubectl delete configmap image-signature-webhook

More Repositories

1

nocode

The best way to write secure and reliable applications. Write nothing; deploy nowhere.
Dockerfile
59,013
star
2

kubernetes-the-hard-way

Bootstrap Kubernetes the hard way on Google Cloud Platform. No scripts.
38,169
star
3

confd

Manage local application configuration files using templates and data from etcd or consul
Go
8,274
star
4

envconfig

Golang library for managing configuration data from environment variables
Go
4,881
star
5

kube-cert-manager

Manage Lets Encrypt certificates for a Kubernetes cluster.
Go
1,087
star
6

intro-to-kubernetes-workshop

Intro to Kubernetes Workshop
1,016
star
7

pipeline

A step by step guide on creating build and deployment pipelines for Kubernetes.
747
star
8

consul-on-kubernetes

Running HashiCorp's Consul on Kubernetes
Shell
598
star
9

konfd

Manage application configuration using Kubernetes secrets, configmaps, and Go templates.
Go
494
star
10

kubernetes-cluster-federation

Kubernetes cluster federation tutorial
458
star
11

vault-controller

Automate the creation of unique Vault tokens for Kubernetes Pods using init containers.
Go
448
star
12

compose2kube

Convert docker-compose service files to Kubernetes objects.
Go
417
star
13

serverless-vault-with-cloud-run

Guide to running Vault on Cloud Run
Shell
392
star
14

vault-on-google-kubernetes-engine

How to guide on running HashiCorp's Vault on Google Kubernetes Engine
Shell
387
star
15

app

Example 12 Facter App
Go
379
star
16

terminus

Get facts about a Linux system.
Go
361
star
17

nomad-on-kubernetes

Tutorial on running Nomad on Kubernetes.
Shell
342
star
18

istio-ingress-tutorial

How to run the Istio Ingress Controller on Kubernetes
Shell
322
star
19

kubernetes-initializer-tutorial

Hands-on tutorial for building and deploying Kubernetes Initializers.
Go
321
star
20

kubestack

Manage Kubernetes with Packer and Terraform on Google Compute Engine.
297
star
21

grpc-hello-service

grpc examples
Go
272
star
22

coreos-ipxe-server

CoreOS iPXE server
Go
218
star
23

kubernetes-redis-cluster

Kubernetes Redis Cluster configs and tutorial
Shell
215
star
24

standalone-kubelet-tutorial

Standalone Kubelet Tutorial
Go
204
star
25

docker-kubernetes-tls-guide

Step by step guide on how to secure Docker and Kubernetes using TLS with CloudFlare’s CFSSL
191
star
26

google-cloud-functions-go

Google Cloud Function tutorial and hacks to enable the use of Go.
Go
180
star
27

helloworld

Go
180
star
28

scheduler

Toy Kubernetes Scheduler
Go
174
star
29

craft-kubernetes-workshop

Craft Kubernetes Workshop
Shell
172
star
30

ingress-with-static-ip

Tutorial on creating a Kubernetes Ingress Resource with a Static IP Address in GCP or GKE
165
star
31

mesh

Cloud native service mesh for the rest of us.
160
star
32

lobsters-on-kubernetes

Lobsters, the Hacker News clone, on Kubernetes
Shell
156
star
33

denyenv-validating-admission-webhook

An Kubernetes validating admission webhook that rejects pods that use environment variables.
JavaScript
154
star
34

vault-init

Automate the initialization and unsealing of HashiCorp Vault on Google Cloud Platform.
Go
151
star
35

certificate-init-container

Bootstrap TLS certificates for Pods using the Kubernetes certificates API.
Go
146
star
36

kubeadm-single-node-cluster

How to bootstrap a single-node Kubernetes cluster on Google Compute Engine using kubeadm.
Shell
140
star
37

hashiapp

Demo 12 Factor application that utilizes Hashicorp tools.
Go
134
star
38

kubernetes-envoy-sds

Kubernetes Envoy Service Discovery Service.
Go
133
star
39

setup-network-environment

Create an environment file with system networking information.
Go
131
star
40

kargo

Go
125
star
41

contributors

Display GitHub contributors for a specific repo.
Go
123
star
42

self-deploying-hello-universe

What if applications could deploy themselves?
Go
123
star
43

konfig

Go
119
star
44

event-gateway-on-kubernetes

How to guide on running Serverless.com's Event Gateway on Kubernetes
Go
119
star
45

gke-service-accounts-tutorial

A tutorial on using Google Cloud service account with Google Container Engine (GKE).
Go
109
star
46

run

Package run provides helper functions for building Cloud Run applications.
Go
107
star
47

hashiconf-eu-2016

HashiConf EU 2016
Shell
106
star
48

talks

Shell
99
star
49

badger

Generate build status images for Google Cloud Build
Go
98
star
50

riff-tutorial

How-to guide for testing the riff FaaS platform and Istio on Google Kubernetes Engine.
Go
97
star
51

cri-o-tutorial

A guided tutorial for the cri-o (ocid) Kubernetes container runtime.
95
star
52

lambda-on-cloud-run

Tutorial: Running Lambda Functions on Cloud Run
Dockerfile
83
star
53

gophercon-2018

Kelsey's GopherCon 2018 Keynote: Going Serverless
Go
72
star
54

12-fractured-apps

Example code for the 12 Fractured Apps blog posts.
Go
71
star
55

etcd-production-setup

Setting up etcd to run in production.
69
star
56

cmd-tutorial

68
star
57

oscon-2017-kubernetes-tutorial

OSCON 2017 Kubernetes Tutorial
68
star
58

jira-on-kubernetes

Notes: Running Atlassian's Jira on Kubernetes
67
star
59

conf2kube

conf2kube can read and create Kubernetes secrets based on the contents of configuration files.
Go
64
star
60

endpoints

Kubernetes endpoints load balancer.
Go
62
star
61

oscon-metrics-tutorial

OSCON Metrics Tutorial
60
star
62

echo

echo prints the first positional argument to stdout
Assembly
59
star
63

memkv

Simple in-memory key/value store backed by a map
Go
58
star
64

motorboat

Dynamically sync Nginx Plus backends from Kubernetes service endpoints.
Go
57
star
65

app-healthz

Example app with a healthz endpoint
Go
55
star
66

dynamic-ports-tutorial

A prototype of using dynamic ports with Kubernetes.
Go
54
star
67

ipxed

Web interface and api for ipxed
Go
51
star
68

helloworld-infrastructure-production

51
star
69

intro-to-go-workshop

Intro to Go Workshop
Go
50
star
70

pipeline-application

Go
48
star
71

reposync

Sync GitHub and Google Cloud Source Repos
Go
45
star
72

journal-2-logentries

Ship systemd journal entries to logentries.com
Go
45
star
73

pm

Package manager
Go
44
star
74

time

Educational package to teach aspiring programmers about history through the lens of time.
Go
44
star
75

container-instance-metadata-server

Cloud Run Container Instance Metadata Server Emulator
Go
41
star
76

kube

Basic single node Kubernetes using a bash script.
Shell
40
star
77

helloworld-infrastructure-staging

36
star
78

gcscache

GCS Cache implements the autocet.Cache interface using Google Cloud Storage.
Go
35
star
79

helloworld-infrastructure-qa

35
star
80

memq

In memory message queue prototype.
Go
32
star
81

kubestack-solo

Create a single node Kubernetes image for local testing with VMware Fusion.
32
star
82

jsonrpc-server

Complete example on using net/rpc over HTTP with the jsonrpc encoding
Go
32
star
83

opa-on-cloud-run

Tutorial: Open Policy Agent on Cloud Run
Shell
31
star
84

confidence

Example application which demonstrates various configuration options for modern applications.
Go
30
star
85

cloud-functions-min-instances-tutorial

Cloud Functions Min Instances Tutorial
Go
30
star
86

hello-cuelang

Learning CUE in public
Go
29
star
87

kube-rsa

Generate self-signed TLS certificates for Kubernetes
Go
29
star
88

kur

Kubernetes Up and Running
Shell
28
star
89

echod

A small echo server written in x86-32 asm
Assembly
28
star
90

redis-enterprise-on-kubernetes

How to deploy Redis Enterprise on Kubernetes
Shell
27
star
91

kubernetes-letsencrypt-tutorial

WIP: Kubernetes Lets Encrypt Tutorial
Go
27
star
92

krane

Convert Google Compute Engine (GCE) autoscaling instance groups to Kubernetes autoscaling deployments.
Go
27
star
93

twelve

Go
26
star
94

buildinfo

Go
25
star
95

etcd-pod-gen

Generate etcd pod specs for running under the Kubernetes Kubelet
Go
24
star
96

istio-initializer

Kubernetes Initializer that injects the Istio sidecar into pods.
Go
24
star
97

config-connector-policy-demo

Kubernetes Config Connector Policy Demo.
Open Policy Agent
24
star
98

dialogflow

The best way to create Dialogflow webhooks in Go.
Go
23
star
99

functions

Google Cloud Functions Helpers
Go
23
star
100

terraform-kcc-demo

Terraform KCC Demo
Shell
22
star