Skip to content

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

License

Notifications You must be signed in to change notification settings

appvia/cosign-keyless-admission-webhook

Repository files navigation

Cosign keyless Kubernetes admission webhook

Build Security Scanning GitHub issues GitHub forks GitHub stars GitHub license

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

Installation

# if you don't already have cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml

kubectl apply -k https://github.com/appvia/cosign-keyless-admission-webhook

Usage

In the pod spec you set an annotation(s) of subject.cosign.sigstore.dev/CONTAINER_NAME* to the subject of the certificate and also set the issuer.cosign.sigstore.dev/CONTAINER_NAME* to the Issuer.

*CONTAINER_NAME is the name of the container from your pod specification.

Full example

apiVersion: v1
kind: Pod
metadata:
  annotations:
    subject.cosign.sigstore.dev/demo: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
    issuer.cosign.sigstore.dev/demo: https://token.actions.githubusercontent.com
    subject.cosign.sigstore.dev/demoagain: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
    issuer.cosign.sigstore.dev/demoagain: https://token.actions.githubusercontent.com
  name: cosign-keyless-demo
spec:
  containers:
    - image: ghcr.io/chrisns/cosign-keyless-demo:latest
      name: demo
    - image: ghcr.io/chrisns/cosign-keyless-demo:latest
      name: demoagain

🚨🚨🚨 WHY THIS MAY NOT WORK FOR YOU 🚨🚨🚨

  • Won't work, at least out the box with private registries or ones that just require authentication, you'll have to wire the credentials up to deployment's secrets