osdocs10264: validate cluster wide policies using sigstore #86776
Conversation
openshift-ci
bot
added
the
size/L
DCChadwick
force-pushed
the
osdocs10264
branch
from
e29e55e to
74507ba
Compare
|
🤖 Tue Jan 07 17:22:00 - Prow CI generated the docs preview: https://86776--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/nodes-sigstore-using.html |
|
@DCChadwick: all tests passed! Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| Sign the Image Using Cosign: | ||
| Sign the image using your private key and push the signature to the registry: | ||
| sh | ||
| cosign sign --key ./cosign.key --registry-username=<your-username> --registry-password=<your-password> quay.io/qiwanredhat/test-sigstoresigned:latest |
There was a problem hiding this comment.
Push + later sign is discouraged, this is vulnerable to attacks by the malicious registry.
Use podman push --sign-by-sigstore-private-key or --sign-by-sigstore to do this securely for just-built images.
(And for the use cases where cosign sign were truly required, use --recursive to interoperate with OCP, and IIRC --sign-container-identity quay.io/qiwanredhat/test-sigstoresigned:latest is typically required.)
There was a problem hiding this comment.
… I’d say that cosign sign should be extremely rarely ”truly required”. skopeo copy --sign… to promote an image from staging to production and sign, for example.
| + | ||
| [source,sh] | ||
| ---- | ||
| cosign generate-key-pair |
There was a problem hiding this comment.
skopeo generate-sigstore-key.
AFAIK we don’t ship cosign as part of RHEL; if this article should rely on cosign, it probably needs to tell users how to get it.
| cosign sign --key ./cosign.key --registry-username=<your-username> --registry-password=<your-password> quay.io/qiwanredhat/test-sigstoresigned:latest | ||
| ---- | ||
|
|
||
| . Launch OpenShift Cluster ClusterBot to enable the feature gate: |
There was a problem hiding this comment.
Uh, is that something customers can use at all?
| publicKey: | ||
| keyData: <base64-encoded-cosign.pub> | ||
| signedIdentity: | ||
| matchPolicy: MatchRepository |
There was a problem hiding this comment.
This is generally a bad idea. It is necessary to consume third-party images signed by cosign, but cosign users should instead use --sign-container-identity to create signatures with the right tag.
| ---- | ||
|
|
||
| . Enable CRI-O debug log level: | ||
| .. Create a ContainerRuntimeConfig to set the log level to debug: |
There was a problem hiding this comment.
This is not really a part of the procedure. It is useful to test that the thing works, sure, but users should not leave debug level output enabled forever. And, anyway, verifying that pulling an unsigned image fails is a better test.
|
During review, it was discovered that another PR already covers this procedure: #86087 |
3 participants
Version(s): 4.18
Issue: OSDOCS-10264
Link to docs preview: https://86776--ocpdocs-pr.netlify.app/openshift-enterprise/latest/nodes/nodes-sigstore-using.html#nodes-sigstore-using-validation_nodes-sigstore-using
QE review:
Additional information: