Secure supply chain
A secure supply chain infrastructure can verify the validity of its parts, or links. It lets users and developers show the chain of custody of its software components, or artifacts. It's an active approach to mitigate security issues.
The Sigstore project provides tools and infrastructure for this. It's for validating the integrity of the artifact supply chain.
Kubewarden uses cosign
together with the fulcio and rekor infrastructure offered by the Sigstore project.
Cluster operators can configure Kubewarden to only run policies signed by trusted entities. Policy developers can sign their policies and publish them in a registry.
Prerequisites
In the following sections, you need a few tools to be installed.
These are so users can sign and verify OCI artifacts signatures.
The examples show the use of cosign
and kwctl
utilities for signing and inspecting policies.
Users may also want to use GitHub to sign their policies. In which case, they need to install Github actions
Keyless signing uses the default fulcio and rekor instances provided by the Sigstore project. Check the Sigstore documentation for details on how to use your own infrastructure for this, if needed.
Signing policies
Kubewarden recommends using Sigstore's cosign utility to signing policies.
This section shows a key-based method of signing policies.
Users need to generate a private-public key-pair for this.
The generated keys help to verify if the signed artifacts came from the expected user.
To generate this key-pair use this cosign generate-key-pair
command:
cosign generate-key-pair
Resulting in a prompt to type and verify a password:
Enter password for private key: ●●●●●●●●
Enter password for private key again: ●●●●●●●●
Private key written to cosign.key
Public key written to cosign.pub
Now you can use this key to sign policies.
The private key file, cosign.key
, shouldn't be shared.
This is a secret file only for use by the key owner for signing policies.
To sign a policy you can use cosign sign
passing the --key
command line argument with your private key file:
cosign sign --key cosign.key ghcr.io/kubewarden/policies/user-group-psp:latest
Resulting in a prompt for the password, for the specified private key:
an error occurred: no provider found for that key reference, will try to load key from disk...
Enter password for private key: ●●●●●●●●
Pushing signature to: ghcr.io/kubewarden/policies/user-group-psp
This command signs the policy by creating a new signature object. The signature object is then uploaded into the registry, with the policy. Now the policy is ready to use in a Kubewarden installation using signature verification.
The same policy can be signed multiple times, by the same user or different ones. These signatures are added to the signature object along with the original signature.
For more information about how the signing process works, check out the Sigstore project documentation.