Skip to content

sirisaacnuketon/policy-controller

 
 

Repository files navigation

Cosign logo

Policy Controller

The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign.

Go Report Card e2e-tests OpenSSF Scorecard

policy-controller also resolves the image tags to ensure the image being ran is not different from when it was admitted.

See the installation instructions for more information.

Today, policy-controller can automatically validate signatures and attestations on container images. Enforcement is configured on a per-namespace basis, and multiple keys are supported.

We're actively working on more features here.

For more information about the policy-controller, have a look at our documentation website here.

Examples

Please see the examples/ directory for example policies etc.

Policy Testing

This repo includes a policy-tester tool which enables checking a policy against various images.

In the root of this repo, run the following to build:

make policy-tester

Then run it pointing to a YAML file containing a ClusterImagePolicy, and an image to evaluate the policy against:

(set -o pipefail && \
    ./policy-tester \
        --policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \
        --image=ghcr.io/sigstore/cosign/cosign:v1.9.0 | jq)

Local Development

You can spin up a local Kind K8s cluster to test local changes to the policy controller using the `` CLI tool. Build the tool with make local-dev and then run it with `./bin/local-dev setup`.

It optionally accepts the following:

--cluster-name
--k8s-version
--registry-url

You can clean up the cluster with ./bin/local-dev clean --cluster-name=<my cluster name>.

You will need to have the following tools installed to use this:

Use local registry

If you would like to use the local Kind registry instead of a live one, do not include the registry-url flag when calling the CLI. It will default to using the local registry. But before running the CLI, you must add the following line to your /etc/hosts file first: 127.0.0.1 registry.local

Support Policy

This policy-controller's versions are able to run in the following versions of Kubernetes:

policy-controller > 0.2.x
Kubernetes 1.22
Kubernetes 1.23
Kubernetes 1.24
Kubernetes 1.25

note: not fully tested yet, but can be installed

Release Cadence

We are intending to move to a monthly cadence for minor releases. Minor releases will be published around the beginning of the month. We may cut a patch release instead, if the changes are small enough not to warrant a minor release. We will also cut patch releases periodically as needed to address bugs.

Security

Should you discover any security issues, please refer to sigstores security process

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 84.9%
  • Shell 14.3%
  • Makefile 0.8%