Supply Chain Security in Tekton Pipelines
Tekton Chains is a Kubernetes Custom Resource Definition (CRD) controller that allows you to manage your supply chain security in Tekton.
In its default mode of operation, Chains works by observing all TaskRuns
executions in your cluster. When TaskRuns
complete, Chains takes a snapshot of
them. Chains then converts this snapshot to one or more standard payload
formats, signs them and stores them somewhere.
Current features include:
- Signing
TaskRun
results with user provided cryptographic keys, includingTaskRun
s themselves and OCI Images - Attestation formats like intoto
- Signing with a variety of cryptograhic key types and services (x509, KMS)
- Support for multiple storage backends for signatures
Prerequisite: you'll need Tekton Pipelines installed on your cluster before you install Chains.
To install the latest version of Chains to your Kubernetes cluster, run:
kubectl apply --filename https://storage.googleapis.com/tekton-releases/chains/latest/release.yaml
To install a specific version of Chains, run:
kubectl apply -f https://storage.googleapis.com/tekton-releases/chains/previous/${VERSION}/release.yaml
To verify that installation was successful, wait until all Pods have Status
Running
:
kubectl get po -n tekton-chains --watch
NAME READY STATUS RESTARTS AGE
tekton-chains-controller-c4f7c57c4-nrjb2 1/1 Running 0 160m
Prerequisite: you'll need Tekton Pipelines installed on your OpenShift cluster before you install Chains.
To install Tekton Chains on OpenShift, you must first apply the anyuid
security context constraint to the tekton-chains-controller
service account.
This is required to run the controller pod. See
Security Context Constraints
for more information.
-
Log on as a user with
cluster-admin
privileges. The following example uses the defaultsystem:admin
user:oc login -u system:admin
-
Set up the namespace (project) and configure the service account:
oc new-project tekton-chains oc adm policy add-scc-to-user nonroot -z tekton-chains-controller
-
Install Tekton Chains:
oc apply --filename https://storage.googleapis.com/tekton-releases/chains/latest/release.yaml
See the OpenShift CLI documentation for more information on the
oc
command. -
Monitor the installation using the following command until all components show a
Running
status:oc get pods --namespace tekton-chains --watch
To finish setting up Chains, please complete the following steps:
- Add authentication to the Chains controller
- Generate a cryptographic key and configure Chains to use it for signing
- Set up any additional configuration
To get started with Chains, try out our getting started tutorial.
To start signing OCI images and generating signed provenance for them, try our signed provenance tutorial.
The Chains community has been hard at work creating tutorials as well:
- Dual storage backend setup showcases how to use multiple storage backends and verify the attestations with cosign.
To learn more about experimental features, check out experimental.md
We are so excited to have you!
- See CONTRIBUTING.md for an overview of our processes
- See DEVELOPMENT.md for how to get started
- See ROADMAP.md for the current roadmap Check out our good first issues and our help wanted issues to get started!
To learn more about Chains: