kyma-project / warden

Image authenticity validation made k8s-native
Apache License 2.0
3 stars 14 forks source link

Warden

K8s image authenticity validator

Status

REUSE status

Description

Image signing and image signature verification is an important countermeasure against security threats. While image signing happens in the automated CD workflow, Warden realizes image signature verification happening in the k8s cluster.

Warden allows for configuring a target notary service (via Helm values) and utilizes the Kubernetes label selector mechanism to look for protected namespaces (namespaces.warden.kyma-project.io/validate: enabled).

If an image was not signed by the configured notary service, and it is used to schedule a pod in the protected namespace, the pod admission will be rejected.

Getting Started

You must have a Kubernetes cluster to run against. You can use kind to get a local cluster for testing or run against a remote cluster.

How it Works

Warden realizes image verification by its two components:

Run locally

Install Helm charts:

make install

Install Helm charts on the k3d instance with locally built images:

make install-local

Uninstall Helm charts:

make uninstall

Modifying the API definitions

If you are editing the API definitions, generate the manifests such as CRs or CRDs using:

make manifests

NOTE: Run make help for more information on all potential make targets.

More information can be found via the Kubebuilder Documentation

Test strategy

Run unit tests

make verify

Start the k3d instance locally and run integration tests

make k3d-integration-test

If you have the k8s instance with Warden installed already, run integration tests with the following command:

make run-integration-tests

How to release new version

In this project we follow git flow. Every minor release is maintaned in its separate branch.

If you want to patch a version, cherry pick all fix commits into the release branch.

If you want to create a new release, create a new branch from main for the release.

Run a create release action providing the release name (semantic version x.x.x; no v prefix) and selecting release branch.

Contributing

See the Contributing Rules.

Code of Conduct

See the Code of Conduct document.

Licensing

See the license file.