Signing and Verifying Container Images With Sigstore Cosign and Kyverno

preview_player
Показать описание
If we want to be certain that what we're running is what we built, we might need to sign container (Docker) images, as well as other types of artifacts. That's where Cosign jump in. Sigstore Cosign makes signatures invisible, especially if we combine it with Kyverno or other Kubernetes admission controller solutions.

#cosign #sigstore #kubernetes

▬▬▬▬▬▬ 🔗 Additional Info 🔗 ▬▬▬▬▬▬

▬▬▬▬▬▬ 💰 Sponsoships 💰 ▬▬▬▬▬▬

▬▬▬▬▬▬ 👋 Contact me 👋 ▬▬▬▬▬▬

▬▬▬▬▬▬ 🚀 Courses, books, and podcasts 🚀 ▬▬▬▬▬▬

▬▬▬▬▬▬ ⏱ Timecodes ⏱ ▬▬▬▬▬▬
00:00 Introduction To Sigstore Cosign
03:38 Client-Side Container Image Validation With Cosign
06:22 Enforce Usage Of Signed Container Images With Kyverno
09:47 Sign Container Images With Sigstore Cosign
11:51 It's Not Only About Container Images
Рекомендации по теме
Комментарии
Автор

Are you signing and verifying your container images? If you are, which tools do you use? If you're not, why not?

DevOpsToolkit
Автор

Great quote from Viktor: You don't have a single execuse to not use it!

dirien
Автор

We use this exact setup signing with KMS key, which is a nice way to out source the key management aspect to the cloud provider.

artemakatev
Автор

Have you tried Notary v2 for signing and verifying. It uses OCI 1.1 spec to store signature as referenced artefacts which is much more cleaner than cosign's tag based approach. It also doesn't rely on sigstore tools like Fulcio/Rekor. Notary works with existing PKI you can trust. Notation also works with OPA Gatekeeper for admission control.

dasiths
Автор

note about image verification: Image verification is a beta feature. It is not ready for production usage and there may be breaking changes.

pbatalla
Автор

how can I apply the policy to verify images on existing deployments in production. Let's say I have added a step in my CI pipeline to sign the image after it is pushed to registry, and then run CD usinge helm upgrade, the policy stops me performing a rolling update. How can i dodge that?

vedantaggrawal
Автор

I feel like with all the tools etc that need some sort of private key or token i would also need a GitLab „keystore“. I love GitOps but as a beginner it sometimes feels as if your Git Instance kinda becomes a single point of failure. How do you protect yourself from that?

lilbitsquishyv
Автор

Hi sir thanks for the video

How to setup sigstore locally to authenticate using oidc?

palanisamy-dlqe
Автор

Could you provide some guide like this using private repositories?

aleixolucas
Автор

What if I work in a private network, does it still make sense to sign images?

kevin
Автор

Does we need policy to prevent unsigned images, as might be we will configure worker node to pull signed image only.

Or here you are showing you can pull any image but silly image need to signed?
I'm same reddit guy who asked for signing help
Thanks for covering signing

devendrasahu
Автор

what about google cloud's binary authorization policy.

senthilkumarshanmugam
Автор

I'm ashamed to admit that I didn't know about Kyverno. 🙂
I (tried to) use but stopped when I realized it's in its early stages and there are only a couple of devs supporting it, so it's risky for production.
Kyverno seems to have a little bit more support, but it's also in its early stages (beta?) and so it too is risky to use in production.
I'm thinking of using OPA Gatekeeper, which is (more) advanced and supported, but boy is it hard to configure. And it seems too powerful for the simple task of image signature verification.

fanemanelistu