Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CASM-4908 Runtime container image signature validation #17

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

CASM-4908 Runtime container image signature validation #17

wants to merge 1 commit into from

Conversation

mtupitsyn
Copy link
Contributor

@mtupitsyn mtupitsyn commented Oct 10, 2024
edited
Loading

Summary and Scope

During initial testing of image signature validation, it was discovered that Kyverno tries to contact https://artifactory.alogl60.net/ for image verification, and this blocks deployments in air-gapped environments, even in Audit mode (CASMTRIAGE-7283). We need to set Kyverno to contact local registry instead, for both images and their respective signatures. This will allow us to turn on signature validation in runtime (during initial deployments, upgrades and in background on running clusters).

Proposed solution involves these key steps:

  • Deploy new Kyverno cluster policy prepend-registry, which will automatically add registry.local/ to the beginning of image spec for any new pod (if it doesn't already start with registry.local/).
  • Add a mirroring rule to containerd configuration, so that images with names starting from registry.local/ are looked in https://pit.nmn first and in https://registry.local/ second. This rule is needed to support a switch from PIT Nexus to Cloud Nexus during initial install. It is similar to already existing rule for image names starting from artifactory.algol60.net, which now becomes obsolete.
  • Move Kyverno and policies deployment into separate manifest, and deploy it early in install/upgrade pipeline, thus ensuring that image name mutation and signature validation happen to all deployments after Kyverno.
  • For the duration of fresh install, when images are downloaded from PIT Nexus, put a temporary hosts record override into CoreDNS ConfigMap. This override will point to PIT Nexus instead of Cloud Nexus. It is needed for Kyverno admission controller to look for images and their signatures in the right location during fresh install (when Cloud Nexus is not yet deployed).

This change consists of the following PR's:

Issues and Related PRs

Testing

Tested on:

  • Virtual Shasta

Test description:

  • Created custom builds of CSM and docs-csm with changes outlined above
  • Performed multiple automated deployments on vShasta in different combinations: fresh install and upgrade, with validationFailureAction set to Audit and Enforce.

Risks and Mitigations

None known ATM.

Pull Request Checklist

  • Version number(s) incremented, if applicable
  • Copyrights updated
  • License file intact
  • Target branch correct
  • Testing is appropriate and complete, if applicable
  • HPC Product Announcement prepared, if applicable

This was referenced Oct 10, 2024
Draft
Draft
@mtupitsyn
CASM-4908 Runtime container image signature validation
03bffc0 
* Add prepend-registry cluster policy to changes images automatically
  to `registry.local/<image_name>` form.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mtupitsyn