voucher
Table of Contents
Introduction
Voucher is the missing piece in the binary authorization toolchain which enables you to secure your software supply pipeline. Binary authorization uses an admission controller such as Kritis, which pulls information about a container image from a metadata server such as Grafeas to ensure that the image is not deployed to production unless it has passed an appropriate suite of checks. As running checks on containers during deployment is time consuming and prevents rapid rollout of changes, the checks the admission controller utilizes to verify an image is ready for production should be run at build time. Voucher does exactly that.
Voucher was designed to be called from your CI/CD pipeline, after an image is built, but before that image is deployed to production. Voucher pulls the newly built image from your image registry; runs it through all of the checks that were requested, and generates attestations for every check that the image passes. Those attestations (OpenPGP signatures of container digests) are then pushed to the metadata server, where Kritis can verify them.
Voucher presently includes the following checks:
| Test Name | Description |
|---|---|
diy |
Can the image be downloaded from our container registry? |
nobody |
Was the image built to run as a user who is not root? |
snakeoil |
Is the image free of known security issues? |
provenance |
Was the image built by us or a trusted system? |
approved |
Did the source code for the image pass all required checks in the code repository? |
As well as the following dynamic check:
| Test Name | Description |
|---|---|
is_<org name> |
Did the source for this image come from the passed organization (for example, is_shopify) |
Note that provenance and the dynamic checks require the prescence of build metadata in your metadata store. While unsigned metadata is valid, to ensure that you are trusting metadata that hasn't been forged, it is recommended that you use signed metadata as well.
Voucher Server, Subscriber, and Client
This repository contains three tools:
- Voucher Server: intended to run in your infrastructure to respond to CI/CD pipeline requests.
- Voucher Subscriber: a program that accepts image creation pub/sub messages from GCR, and automatically vouches the images referenced in those messages. This program doesn't respond to any client requests.
- Voucher Client: an example of a Voucher API client that you can use directly in your CI/CD pipeline or as a basis for your own code. The client connects to a Voucher Server.
Contributing
Please refer to the Contributing document if you are interested in contributing to voucher!
Community
Please join voucher-users for announcements and discussions.