From 484ea1135588240e36184cbac0cbe136452cdd7d Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Wed, 9 Nov 2022 01:34:35 +0530 Subject: [PATCH 1/7] Create N4K for Image Verification --- Use Cases/N4K for Image Verification | 81 ++++++++++++++++++++++++++++ 1 file changed, 81 insertions(+) create mode 100644 Use Cases/N4K for Image Verification diff --git a/Use Cases/N4K for Image Verification b/Use Cases/N4K for Image Verification new file mode 100644 index 00000000..90eb50a2 --- /dev/null +++ b/Use Cases/N4K for Image Verification @@ -0,0 +1,81 @@ +#Steps for image verification + +Below are the steps to verify images before deployment to Kubernetes runtime environments - + +Download the certified N4K Kyverno and adapter images to the customer's private repo. +Customize Kyverno and adapter deployment as required for the customer's environment via Helm values file (docker-registry credentials, custom CA, Proxy etc.). +Deploy Kyverno using the Helm Chart. +Deploy the adapters using the Helm Chart. +Leverage cosign or Venafi workflow to sign the images. +Deploy the image verification Kyverno policy. +Confirm image verification based on policy pass/fail. + + + +Location and Credentials to access N4K images + +Please download the Kyverno and adapter images below - + + ghcr.io/nirmata/kyverno:v1.8.1-n4kbuild.1 + ghcr.io/nirmata/kyvernopre:v1.8.1-n4kbuild.1 + ghcr.io/nirmata/kube-rbac-proxy:v0.13.1 + ghcr.io/nirmata/nirmata-imagekey-controller:v0.1 + + +Please use the below credentials to access N4K images - + +Username: nirmata-enterprise-for-kyverno +Password: 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 + +Kyverno Installation + + +Install the Helm charts by following the instructions here. The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below + +--set image.repository=> +--set image.pullSecrets.registry=<> +--set image.pullSecrets.username= +--set image.pullSecrets.password= + + + +For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. + + --set systemCertPath=/etc/pki/tls/certs + --set customCAConfigMap=<> + + +Nirmata Venafi Adapter installation: + + +Install the Helm charts by following the instructions here. The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below + + + + + + +--set venafiAdapterImage=<> +--set imagePullSecret.registry=<> +--set imagePullSecret.username=<> +--set imagePullSecret.password=<> + + + +For custom certs, follow the custom cert section in the installation guide and use the parameters below to set the right ca bundle path and configmap. + + + + --set systemCertPath=/etc/pki/tls/certs + --set customCAConfigMap=<> + + + + +Validate signed images with Venafi adapter + + +Refer the steps here to create a password secret and CR yaml imagekey.yaml +Ensure the first job runs and downloads the specified key to configmap specified +Refer the sample policy to create a Kyverno imageverify policy referring to the configmap field +Validate whether pods are blocked or allowed based on whether they are signed with Venafi keys. From 682dc4aa7cfce63f04e792d961712fe7a7b584d7 Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Wed, 9 Nov 2022 01:35:40 +0530 Subject: [PATCH 2/7] Rename N4K for Image Verification to N4K-for-Image-Verification.md --- .../{N4K for Image Verification => N4K-for-Image-Verification.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename Use Cases/{N4K for Image Verification => N4K-for-Image-Verification.md} (100%) diff --git a/Use Cases/N4K for Image Verification b/Use Cases/N4K-for-Image-Verification.md similarity index 100% rename from Use Cases/N4K for Image Verification rename to Use Cases/N4K-for-Image-Verification.md From a9e23c06d15226723961dd97f8823a538db35558 Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Wed, 9 Nov 2022 01:39:46 +0530 Subject: [PATCH 3/7] Update N4K-for-Image-Verification.md --- Use Cases/N4K-for-Image-Verification.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Use Cases/N4K-for-Image-Verification.md b/Use Cases/N4K-for-Image-Verification.md index 90eb50a2..fde824f8 100644 --- a/Use Cases/N4K-for-Image-Verification.md +++ b/Use Cases/N4K-for-Image-Verification.md @@ -1,4 +1,4 @@ -#Steps for image verification +**Steps for image verification Below are the steps to verify images before deployment to Kubernetes runtime environments - @@ -12,7 +12,7 @@ Confirm image verification based on policy pass/fail. -Location and Credentials to access N4K images +**Location and Credentials to access N4K images Please download the Kyverno and adapter images below - @@ -22,12 +22,12 @@ Please download the Kyverno and adapter images below - ghcr.io/nirmata/nirmata-imagekey-controller:v0.1 -Please use the below credentials to access N4K images - +Please use the below credentials provided to you to access N4K images - Username: nirmata-enterprise-for-kyverno -Password: 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 +Password: xx -Kyverno Installation +**Kyverno Installation Install the Helm charts by following the instructions here. The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below @@ -40,12 +40,12 @@ Install the Helm charts by following the instructions here. The necessary creden For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. - +`` --set systemCertPath=/etc/pki/tls/certs --set customCAConfigMap=<> +`` - -Nirmata Venafi Adapter installation: +**Nirmata Venafi Adapter installation Install the Helm charts by following the instructions here. The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below @@ -72,7 +72,7 @@ For custom certs, follow the custom cert section in the installation guide and u -Validate signed images with Venafi adapter +**Validate signed images with Venafi adapter Refer the steps here to create a password secret and CR yaml imagekey.yaml From 55e1c1145e0ec1d6dc0eacc4ce4cfb22182f8867 Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Wed, 9 Nov 2022 01:44:39 +0530 Subject: [PATCH 4/7] Update N4K-for-Image-Verification.md --- Use Cases/N4K-for-Image-Verification.md | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/Use Cases/N4K-for-Image-Verification.md b/Use Cases/N4K-for-Image-Verification.md index fde824f8..46898f71 100644 --- a/Use Cases/N4K-for-Image-Verification.md +++ b/Use Cases/N4K-for-Image-Verification.md @@ -1,4 +1,4 @@ -**Steps for image verification +**Steps for image verification** Below are the steps to verify images before deployment to Kubernetes runtime environments - @@ -12,7 +12,7 @@ Confirm image verification based on policy pass/fail. -**Location and Credentials to access N4K images +**Location and Credentials to access N4K images** Please download the Kyverno and adapter images below - @@ -27,10 +27,10 @@ Please use the below credentials provided to you to access N4K images - Username: nirmata-enterprise-for-kyverno Password: xx -**Kyverno Installation +**Kyverno Installation** -Install the Helm charts by following the instructions here. The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below +Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/nirmata#installing-the-chart). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below --set image.repository=> --set image.pullSecrets.registry=<> @@ -40,15 +40,15 @@ Install the Helm charts by following the instructions here. The necessary creden For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. -`` + --set systemCertPath=/etc/pki/tls/certs --set customCAConfigMap=<> -`` -**Nirmata Venafi Adapter installation + +**Nirmata Venafi Adapter installation** -Install the Helm charts by following the instructions here. The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below +Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below @@ -62,7 +62,7 @@ Install the Helm charts by following the instructions here. The necessary creden -For custom certs, follow the custom cert section in the installation guide and use the parameters below to set the right ca bundle path and configmap. +For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. @@ -72,10 +72,10 @@ For custom certs, follow the custom cert section in the installation guide and u -**Validate signed images with Venafi adapter +**Validate signed images with Venafi adapter** -Refer the steps here to create a password secret and CR yaml imagekey.yaml +Refer the steps [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#test-a-sample-policy) to create a password secret and CR yaml imagekey.yaml Ensure the first job runs and downloads the specified key to configmap specified -Refer the sample policy to create a Kyverno imageverify policy referring to the configmap field +Refer the sample [policy](https://github.com/dolisss/kyverno_policies/blob/main/supply-chain/verify_image_venafi.yaml) to create a Kyverno imageverify policy referring to the configmap field Validate whether pods are blocked or allowed based on whether they are signed with Venafi keys. From f99495c5d3c06389012415993b7fc4c0ec843715 Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Wed, 9 Nov 2022 01:51:32 +0530 Subject: [PATCH 5/7] Update N4K-for-Image-Verification.md --- Use Cases/N4K-for-Image-Verification.md | 40 ++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/Use Cases/N4K-for-Image-Verification.md b/Use Cases/N4K-for-Image-Verification.md index 46898f71..eb54f38b 100644 --- a/Use Cases/N4K-for-Image-Verification.md +++ b/Use Cases/N4K-for-Image-Verification.md @@ -1,18 +1,18 @@ -**Steps for image verification** +## Steps for image verification Below are the steps to verify images before deployment to Kubernetes runtime environments - -Download the certified N4K Kyverno and adapter images to the customer's private repo. -Customize Kyverno and adapter deployment as required for the customer's environment via Helm values file (docker-registry credentials, custom CA, Proxy etc.). -Deploy Kyverno using the Helm Chart. -Deploy the adapters using the Helm Chart. -Leverage cosign or Venafi workflow to sign the images. -Deploy the image verification Kyverno policy. -Confirm image verification based on policy pass/fail. +1. Download the certified N4K Kyverno and adapter images to the customer's private repo. +2. Customize Kyverno and adapter deployment as required for the customer's environment via Helm values file (docker-registry credentials, custom CA, Proxy etc.). +3. Deploy Kyverno using the Helm Chart. +4. Deploy the adapters using the Helm Chart. +5. Leverage cosign or Venafi workflow to sign the images. +6. Deploy the image verification Kyverno policy. +7. Confirm image verification based on policy pass/fail. -**Location and Credentials to access N4K images** +## Location and Credentials to access N4K images Please download the Kyverno and adapter images below - @@ -27,25 +27,25 @@ Please use the below credentials provided to you to access N4K images - Username: nirmata-enterprise-for-kyverno Password: xx -**Kyverno Installation** +## Kyverno Installation Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/nirmata#installing-the-chart). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below - +``` --set image.repository=> --set image.pullSecrets.registry=<> --set image.pullSecrets.username= --set image.pullSecrets.password= - +``` For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. - +``` --set systemCertPath=/etc/pki/tls/certs --set customCAConfigMap=<> +``` - -**Nirmata Venafi Adapter installation** +## Nirmata Venafi Adapter installation Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below @@ -53,26 +53,26 @@ Install the Helm charts by following the instructions [here](https://github.com/ - +``` --set venafiAdapterImage=<> --set imagePullSecret.registry=<> --set imagePullSecret.username=<> --set imagePullSecret.password=<> - +``` For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. - +``` --set systemCertPath=/etc/pki/tls/certs --set customCAConfigMap=<> +``` - -**Validate signed images with Venafi adapter** +## Validate signed images with Venafi adapter Refer the steps [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#test-a-sample-policy) to create a password secret and CR yaml imagekey.yaml From 084925b73eb68b5bc024616c71b8df2ee7237fa2 Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Wed, 9 Nov 2022 01:53:08 +0530 Subject: [PATCH 6/7] Delete Use Cases directory --- Use Cases/N4K-for-Image-Verification.md | 81 ------------------------- 1 file changed, 81 deletions(-) delete mode 100644 Use Cases/N4K-for-Image-Verification.md diff --git a/Use Cases/N4K-for-Image-Verification.md b/Use Cases/N4K-for-Image-Verification.md deleted file mode 100644 index eb54f38b..00000000 --- a/Use Cases/N4K-for-Image-Verification.md +++ /dev/null @@ -1,81 +0,0 @@ -## Steps for image verification - -Below are the steps to verify images before deployment to Kubernetes runtime environments - - -1. Download the certified N4K Kyverno and adapter images to the customer's private repo. -2. Customize Kyverno and adapter deployment as required for the customer's environment via Helm values file (docker-registry credentials, custom CA, Proxy etc.). -3. Deploy Kyverno using the Helm Chart. -4. Deploy the adapters using the Helm Chart. -5. Leverage cosign or Venafi workflow to sign the images. -6. Deploy the image verification Kyverno policy. -7. Confirm image verification based on policy pass/fail. - - - -## Location and Credentials to access N4K images - -Please download the Kyverno and adapter images below - - - ghcr.io/nirmata/kyverno:v1.8.1-n4kbuild.1 - ghcr.io/nirmata/kyvernopre:v1.8.1-n4kbuild.1 - ghcr.io/nirmata/kube-rbac-proxy:v0.13.1 - ghcr.io/nirmata/nirmata-imagekey-controller:v0.1 - - -Please use the below credentials provided to you to access N4K images - - -Username: nirmata-enterprise-for-kyverno -Password: xx - -## Kyverno Installation - - -Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/nirmata#installing-the-chart). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below -``` ---set image.repository=> ---set image.pullSecrets.registry=<> ---set image.pullSecrets.username= ---set image.pullSecrets.password= -``` - - -For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. -``` - --set systemCertPath=/etc/pki/tls/certs - --set customCAConfigMap=<> -``` - -## Nirmata Venafi Adapter installation - - -Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below - - - - -``` - ---set venafiAdapterImage=<> ---set imagePullSecret.registry=<> ---set imagePullSecret.username=<> ---set imagePullSecret.password=<> -``` - - -For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. - - -``` - --set systemCertPath=/etc/pki/tls/certs - --set customCAConfigMap=<> -``` - - - -## Validate signed images with Venafi adapter - - -Refer the steps [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#test-a-sample-policy) to create a password secret and CR yaml imagekey.yaml -Ensure the first job runs and downloads the specified key to configmap specified -Refer the sample [policy](https://github.com/dolisss/kyverno_policies/blob/main/supply-chain/verify_image_venafi.yaml) to create a Kyverno imageverify policy referring to the configmap field -Validate whether pods are blocked or allowed based on whether they are signed with Venafi keys. From cdfde7ff552abc54b7875acb50a07fc55a92feb9 Mon Sep 17 00:00:00 2001 From: Anubhav Sharma <40705688+anubhav888@users.noreply.github.com> Date: Wed, 9 Nov 2022 01:53:36 +0530 Subject: [PATCH 7/7] Create N4K-for-Image-Verification.md --- Use-cases/N4K-for-Image-Verification.md | 80 +++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 Use-cases/N4K-for-Image-Verification.md diff --git a/Use-cases/N4K-for-Image-Verification.md b/Use-cases/N4K-for-Image-Verification.md new file mode 100644 index 00000000..7e36bd37 --- /dev/null +++ b/Use-cases/N4K-for-Image-Verification.md @@ -0,0 +1,80 @@ +## Steps for image verification + +Below are the steps to verify images before deployment to Kubernetes runtime environments - + +1. Download the certified N4K Kyverno and adapter images to the customer's private repo. +2. Customize Kyverno and adapter deployment as required for the customer's environment via Helm values file (docker-registry credentials, custom CA, Proxy etc.). +3. Deploy Kyverno using the Helm Chart. +4. Deploy the adapters using the Helm Chart. +5. Leverage cosign or Venafi workflow to sign the images. +6. Deploy the image verification Kyverno policy. +7. Confirm image verification based on policy pass/fail. + + + +## Location and Credentials to access N4K images + +Please download the Kyverno and adapter images below - + + ghcr.io/nirmata/kyverno:v1.8.1-n4kbuild.1 + ghcr.io/nirmata/kyvernopre:v1.8.1-n4kbuild.1 + ghcr.io/nirmata/kube-rbac-proxy:v0.13.1 + ghcr.io/nirmata/nirmata-imagekey-controller:v0.1 + + +Please use the below credentials provided to you to access N4K images - + +Username: nirmata-enterprise-for-kyverno +Password: xx + +## Kyverno Installation + + +Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/nirmata#installing-the-chart). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below +``` +--set image.repository=> +--set image.pullSecrets.registry=<> +--set image.pullSecrets.username= +--set image.pullSecrets.password= +``` + + +For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. +``` + --set systemCertPath=/etc/pki/tls/certs + --set customCAConfigMap=<> +``` + +## Nirmata Venafi Adapter installation + + +Install the Helm charts by following the instructions [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter). The necessary credentials for the image repo must be passed during installation of the Helm repo to authenticate with the customer’s container registry. Set the image registry using the parameters below + + + + +``` +--set venafiAdapterImage=<> +--set imagePullSecret.registry=<> +--set imagePullSecret.username=<> +--set imagePullSecret.password=<> +``` + + +For custom certs, follow the custom cert section in the [installation](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#installation) guide and use the parameters below to set the right ca bundle path and configmap. + + +``` + --set systemCertPath=/etc/pki/tls/certs + --set customCAConfigMap=<> +``` + + + +## Validate signed images with Venafi adapter + + +Refer the steps [here](https://github.com/nirmata/kyverno-charts/tree/main/charts/venafi-adapter#test-a-sample-policy) to create a password secret and CR yaml imagekey.yaml +Ensure the first job runs and downloads the specified key to configmap specified +Refer the sample [policy](https://github.com/dolisss/kyverno_policies/blob/main/supply-chain/verify_image_venafi.yaml) to create a Kyverno imageverify policy referring to the configmap field +Validate whether pods are blocked or allowed based on whether they are signed with Venafi keys.