From e4f0570ea8cbb3bcf5d8f5341a0faf81e7ad64c6 Mon Sep 17 00:00:00 2001 From: arunvel1988 Date: Sat, 8 Mar 2025 14:15:30 +0530 Subject: [PATCH] adding cosign image policy --- .../.chainsaw-test/resource.yaml | 19 +++++++++++++ .../.chainsaw-test/test.yaml | 21 +++++++++++++++ .../artifacthub-pkg.yaml | 9 +++++++ .../verify-tekton-image-cosign-signed.yaml | 27 +++++++++++++++++++ 4 files changed, 76 insertions(+) create mode 100644 tekton/verify-tekton-image-cosign-signed/.chainsaw-test/resource.yaml create mode 100644 tekton/verify-tekton-image-cosign-signed/.chainsaw-test/test.yaml create mode 100644 tekton/verify-tekton-image-cosign-signed/artifacthub-pkg.yaml create mode 100644 tekton/verify-tekton-image-cosign-signed/verify-tekton-image-cosign-signed.yaml diff --git a/tekton/verify-tekton-image-cosign-signed/.chainsaw-test/resource.yaml b/tekton/verify-tekton-image-cosign-signed/.chainsaw-test/resource.yaml new file mode 100644 index 000000000..6a41f0bf6 --- /dev/null +++ b/tekton/verify-tekton-image-cosign-signed/.chainsaw-test/resource.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Pod +metadata: + name: signed-pod +spec: + containers: + - name: signed-container + image: index.docker.io/arunvel1988/signedimage:latest # Assumes this is a signed image + +--- + +apiVersion: v1 +kind: Pod +metadata: + name: unsigned-pod +spec: + containers: + - name: unsigned-container + image: index.docker.io/arunvel1988/unsignedimage:latest # This is an unsigned image \ No newline at end of file diff --git a/tekton/verify-tekton-image-cosign-signed/.chainsaw-test/test.yaml b/tekton/verify-tekton-image-cosign-signed/.chainsaw-test/test.yaml new file mode 100644 index 000000000..688d419be --- /dev/null +++ b/tekton/verify-tekton-image-cosign-signed/.chainsaw-test/test.yaml @@ -0,0 +1,21 @@ +apiVersion: cli.kyverno.io/v1alpha1 +kind: Test +metadata: + name: require-signed-images-registry +policies: + - ../verify-tekton-image-cosign-signed.yaml +resources: + - resource.yaml +results: + - kind: Pod + policy: require-signed-images-registry + resources: + - unsigned-pod + result: fail + rule: check-signature + - kind: Pod + policy: require-signed-images-registry + resources: + - signed-pod + result: pass + rule: check-signature \ No newline at end of file diff --git a/tekton/verify-tekton-image-cosign-signed/artifacthub-pkg.yaml b/tekton/verify-tekton-image-cosign-signed/artifacthub-pkg.yaml new file mode 100644 index 000000000..5aa7d12ef --- /dev/null +++ b/tekton/verify-tekton-image-cosign-signed/artifacthub-pkg.yaml @@ -0,0 +1,9 @@ +name: verify-tekton-image-cosign-signed +version: 1.0.0 +displayName: Verify Tekton Image with Cosign +createdAt: "2023-04-10T23:23:45.000Z" +description: >- + Enforces that all Tekton TaskRun container images are signed using Cosign. +install: |- + ```shell + kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/tekton/verify-tekton-image-cosign-signed/verify-tekton-image-cosign-signed.yaml diff --git a/tekton/verify-tekton-image-cosign-signed/verify-tekton-image-cosign-signed.yaml b/tekton/verify-tekton-image-cosign-signed/verify-tekton-image-cosign-signed.yaml new file mode 100644 index 000000000..4c2b4c05b --- /dev/null +++ b/tekton/verify-tekton-image-cosign-signed/verify-tekton-image-cosign-signed.yaml @@ -0,0 +1,27 @@ +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: require-signed-images-registry + annotations: + policies.kyverno.io/title: Require Cosign Signed Image to maintain supply chain security + policies.kyverno.io/category: Tekton + policies.kyverno.io/severity: medium + policies.kyverno.io/subject: TaskRun + kyverno.io/kyverno-version: 1.7.2 + policies.kyverno.io/minversion: 1.7.0 + kyverno.io/kubernetes-version: "1.23" + policies.kyverno.io/description: >- + A signed image is required to maintain supply chain security +spec: + validationFailureAction: Enforce + background: true + rules: + - name: check-signature + match: + any: + - resources: + kinds: + - Pod + verifyImages: + - image: "index.docker.io/arunvel1988/*" + key: "k8s://kyverno/cosign-key-secret" \ No newline at end of file