Create Require Image Signature Pepr Policy

defenseunicorns / uds-core

A secure runtime platform for mission-critical capabilities

https://uds.defenseunicorns.com

Apache License 2.0

36 stars 12 forks source link

Create Require Image Signature Pepr Policy #371

Open CloudBeard opened 2 months ago

CloudBeard commented 2 months ago

Is your feature request related to a problem? Please describe.

For FedRAMP/NIST compliance the Required Image Signature Pepr policy will need to be created to meet controls.

Describe the solution you'd like

The policy is already called out in the README but hasn't been created yet. https://github.com/defenseunicorns/uds-core/blob/main/src/pepr/policies/README.md

mjnagel commented 1 month ago

A couple pieces here to accomplish this:

Add image signatures into our zarf packages (currently we don't pull them)
Add the actual policy to do validation - last time we looked at this the cosign/sigstore typescript ecosystem wasn't great

There may be a separate way to consider accomplishing this - if we did signature validation during zarf package creation would that be sufficient? Or maybe something where zarf re-signs images during creation? This is semi-related to https://github.com/defenseunicorns/zarf/issues/2257

CloudBeard commented 1 month ago

Either of those could work but just checking the cosign signature looks to be simpler.

If we move that responsibility from Pepr to Zarf if the cosign signatures don't match it looks like it will throw an error, and im guessing fail the build? We can use the notification of the failed build to help satisfy part of the control.

The second part may be tougher and that would be scanning for that "periodically". I don't think NeuVector can use cosign signatures or any signature for that matter. The admissions controller piece of Pepr would check that box so when something new comes in its "scanned" or verified against a policy.

Since the environment is managed with GitOps in theory all images brought in would be checked by Zarf in Ci so we should be fine to say its scanned there and only brought in if it matches.

We can close this one and track that Zarf issue instead for this.

mjnagel commented 1 month ago

NeuVector does provide a way to do sigstore/cosign validation - https://open-docs.neuvector.com/policy/admission/sigstore/ - but I think it is also at admission time only (that's pretty common with a lot of policy related things 🙃).

I think it reduces a lot of complexity/simplifies some things if we can shift the signature check "left" to zarf build time and then depending on how it is implemented in zarf we could potentially have a check in pepr to validate that (1) all images are coming from zarf and (2) all images had their signatures checked by zarf? It's probably a good idea to keep this one open for the time being pending further progress/understanding of what zarf is going to do to handle on their side.