mirror of
https://github.com/docker/attest-provider
synced 2026-04-05 19:43:36 +00:00
No description
- Go 62.8%
- Shell 25.6%
- Makefile 6.8%
- Dockerfile 4.3%
- Smarty 0.5%
329e85366b
Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.3.5 to 4.4.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](
|
||
|---|---|---|
| .github | ||
| charts/attest-provider | ||
| mutation | ||
| pkg | ||
| scripts | ||
| template | ||
| test/bats | ||
| validation | ||
| .dockerignore | ||
| .gitignore | ||
| .golangci.yaml | ||
| CODE-OF-CONDUCT.md | ||
| CONTRIBUTING.md | ||
| Dockerfile | ||
| go.mod | ||
| go.sum | ||
| LICENSE | ||
| main.go | ||
| main_test.go | ||
| Makefile | ||
| NOTICE | ||
| README.md | ||
| SECURITY.md | ||
Attest External Data Provider
OPA Gatekeeper external data provider implementation for Docker attest library image attestation verification.
Prerequisites
Quick Start
- Create a kind cluster.
kind create cluster --name gatekeeper
- Install the latest version of Gatekeeper and enable the external data feature.
# Add the Gatekeeper Helm repository
helm repo add gatekeeper https://open-policy-agent.github.io/gatekeeper/charts
# Install the latest version of Gatekeeper with the external data feature enabled.
helm install gatekeeper/gatekeeper \
--set enableExternalData=true \
--set emitAdmissionEvents=true \
--set emitAuditEvents=true \
--set validatingWebhookFailurePolicy=Fail \
--set validatingWebhookTimeoutSeconds=10 \
--set postInstall.probeWebhook.enabled=false \
--set postInstall.labelNamespace.enabled=false \
--name-template=gatekeeper \
--namespace security \
--create-namespace
- Build and deploy the external data provider.
git clone https://github.com/docker/attest-provider.git
cd attest-provider
# if you are not planning to establish mTLS between the provider and Gatekeeper,
# deploy the provider to a separate namespace. Otherwise, do not run the following command
# and deploy the provider to the same namespace as Gatekeeper.
export NAMESPACE=security
# generate a self-signed certificate for the external data provider
./scripts/generate-tls-cert.sh
# build the image via docker buildx
make docker-buildx
# load the image into kind
make kind-load-image
# deploy attest provider
helm install attest-provider charts/attest-provider \
--set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
--set image="docker/attest-provider:dev" \
--namespace "${NAMESPACE:-gatekeeper-system}"
- Install constraint template and constraint.
kubectl apply -f validation/attest-constraint-template.yaml
kubectl apply -f validation/attest-constraint.yaml
- Test the external data provider by dry-running the following command:
kubectl create ns test
kubectl run nginx --image nginx -n test --dry-run=server -ojson
Gatekeeper should deny the pod admission above because the image nginx is missing signed annotations but has an image policy in tuf-staging.
TODO: implement mutating policy (tag -> digest)
- To reload the attest-provider image after making changes, run the following command:
make reload
- Uninstall the external data provider and Gatekeeper.
kubectl delete -f validation/
# kubectl delete -f mutation/ TODO: implement mutation
helm uninstall attest-provider --namespace "${NAMESPACE:-gatekeeper-system}"
helm uninstall gatekeeper --namespace security