search

akuity / kargo

Application lifecycle orchestration
https://kargo.akuity.io/
Apache License 2.0
1.68k stars 142 forks source link

Add support to validate image with cosign in the warehouse #2859

Open tal-hason opened 1 week ago

tal-hason commented 1 week ago

Checklist

Proposed Feature

when the warehouse scans for images, if in the configuration the validated signature is true and a cosign pub key is added, the warehouse will validate the image signature and pass it to the freight, if an image does not pass the signature validation the image is then marked as not safe

Motivation

add a secure layer of image verification before adding images to freight, which will enhance security and artifact credibility.

Suggested Implementation

in the warehouse add the flag to check the image signature. and add the options to add the cosign public key

krancour commented 1 week ago

This is a good idea, but one technical barrier may be that discovering images is already something that is really heavy on API calls to the registries. Rate limiting ends up being a huge problem and this would make it worse. I'm not opposed to this, but it might be better to leave this to something like OPA or Kyverno.

hiddeco commented 1 week ago

The lighter alternative could be to allow verification during Promotion.

tal-hason commented 1 week ago

At the end the API just get the new image from the registry.

And if it cosign enabled, then the cosign just get the signature of the image from the registry, it's not API depending, it uses the OCI protocol to validate the metadata.

So API wise, it want be extra work...

krancour commented 1 week ago

The lighter alternative could be to allow verification during Promotion.

I like the idea of doing it as a step that fails if an image is untrusted.

Another big motivating factor for that is cosign isn't the only game in town when it comes to image trust. Off the top of my head, there's also Docker Content Trust and Notary.

Custom/third-party steps will be enabled sometime around v1.3.0 and that extension point could be used to enable an image trust solution of the user's choosing.

Chewie commented 1 week ago

Another use of image signing that could be envisioned is to not only use it for provenance, but to exploit additional predicates to mark the end of previous steps. For example, running successful e2e tests would add a predicate to the attestation, and the promotion would be triggered by the presence of this predicate.