sigstore/k8s-manifest-sigstore

Extend verify-resource sub-command

Closed this issue · 1 comments

yuji-watanabe-jp commented

Description
This issue is the proposal to extend verify-resource subcommand to allow the following features.

verify-resource subcommand allows user to inspect resources according to the sigstore signing.

  • k8s manifest file is used to to deploy resources onto cluster by using kubectl. Many k8s apps are using this installation pattern today.
  • k8s manifest file is uploaded as bundle image to OCI registry, and signed by using cosign sign.
  • Later, user want to verify if the current state of resources are not tampered (unchanged from the state defined in the signed k8s manifest file).

In this verification, signed manifest is specified in metadata annotation of each resources, or command option explicitly.
If the resource is not changed from the signed manifest, it is reported as valid.

Two usage patterns of this sub-command.

  1. A user specifies the resources by command options and checks if they are not changed from signed manifest. (signed manifest specified in metadata annotation is used in this case.)
kubectl sigstore verify-resource cm -n myapp

Resources can be specified by manifest.

kubectl get deploy -n myapp | kubectl sigstore verify-resource -f -
  1. A user specifies the signed manifest and verifies if the resources deployed from the manifest is not changed from the signed state
# build manifest
kustomize build ~/myapp > manifest.yaml

# sign manifest
kubectl sigstore sign manifest.yaml -i manifest-bundle:dev

# deploy application
kubectl apply -n myapp -f manifest.yaml

# verify application with signed manifest
kubectl sigstore verify-resource -n myapp -i manifest-bundle:dev

Features to be extended

  • allow user to specify resources by file
  • allow user to specify resources by bundle image
  • support both keyless and keyed signing
  • output format (pretty, json, yaml)
  • allow to specify configuration to skip check

Expected

Usage:
  kubectl sigstore verify-resource (RESOURCE/NAME | -f FILENAME | -i IMAGE) [options]

Flags:
  -c, --config string                  path to verification config YAML file (for advanced verification)
  -f, --filename string                manifest filename
  -i, --image string                   a comma-separated list of signed image names that contains YAML manifests
  -k, --key string                     path to your signing key (if empty, do key-less signing)
  -n, --namespace string               If present, the namespace scope for this CLI request
  -o, --output string                  output format string, either "json" or "yaml" (if empty, a result is shown as a table)
yuji-watanabe-jp commented

This extension was merged to main branch with the PR #16 .
Thanks! > @hirokuni-kitahara