search

kyverno / website

User docs and sample policies: https://kyverno.io
Apache License 2.0
37 stars 154 forks source link

[Enhancement] Document the verification of attestations produced from private GitHub repositories #1435

Open EtienneDufresne opened 2 weeks ago

EtienneDufresne commented 2 weeks ago

Description

The verifying sigstore bundles section of the documentation is specific to public GitHub repositories where the official Sigstore instance is used.

If the attestation is produced from a private GitHub repo (and for a private artifact), the GitHub Sigstore instance is used and there are no transparency logs as stated here.

For kyverno to be able to verify such attestations, its helm values.yaml must have this override:

features:
  tuf:
    enabled: true
    mirror: https://tuf-repo.github.com
    rootRaw: <set to https://github.com/github/artifact-attestations-helm-charts/blob/main/charts/trust-policies/templates/trustroot-github.yaml#L8-L9>

In the ClusterPolicy, the attestation keyless attestor entry's rekor value must be updated to point to the GitHub Signstore Fulcio instance and set to ignore the transparency logs:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  annotations:
    pod-policies.kyverno.io/autogen-controllers: none
  name: sigstore-attestation-verification
spec:
  background: false
  validationFailureAction: Enforce
  webhookTimeoutSeconds: 30
  rules:
  - match:
      any:
      - resources:
          kinds:
          - Pod
    name: sigstore-attestation-verification
    verifyImages:
    - imageReferences:
      - "*"
      type: SigstoreBundle
      attestations:
      - attestors:
        - entries:
          - keyless:
              issuer: https://token.actions.githubusercontent.com
              subject: https://github.com/vishal-chdhry/artifact-attestation-example/.github/workflows/build-attested-image.yaml@refs/heads/main
              rekor:
                ignoreTlog: true
                url: https://fulcio.githubapp.com
        conditions:
        - all:
          - key: '{{ buildDefinition.buildType }}'
            operator: Equals
            value: https://actions.github.io/buildtypes/workflow/v1
        type: https://slsa.dev/provenance/v1

Slack discussion

https://kubernetes.slack.com/archives/CLGR9BJU9/p1720769654925739

welcome[bot] commented 2 weeks ago

Thanks for opening your first issue here! Be sure to follow the issue template!