Kubernetes admission webhook that uses
cosign verify
to check the subject and issuer of the image matches what you expect
# if you don't already have cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
kubectl apply -k https://github.com/appvia/cosign-keyless-admission-webhook
In the pod spec you set an annotation(s) of subject.cosign.sigstore.dev/CONTAINER_NAME
* to the subject of the certificate and also set the issuer.cosign.sigstore.dev/CONTAINER_NAME
* to the Issuer.
*
CONTAINER_NAME
is the name of the container from your pod specification.
apiVersion: v1
kind: Pod
metadata:
annotations:
subject.cosign.sigstore.dev/demo: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
issuer.cosign.sigstore.dev/demo: https://token.actions.githubusercontent.com
subject.cosign.sigstore.dev/demoagain: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
issuer.cosign.sigstore.dev/demoagain: https://token.actions.githubusercontent.com
name: cosign-keyless-demo
spec:
containers:
- image: ghcr.io/chrisns/cosign-keyless-demo:latest
name: demo
- image: ghcr.io/chrisns/cosign-keyless-demo:latest
name: demoagain
- Won't work, at least out the box with private registries or ones that just require authentication, you'll have to wire the credentials up to deployment's secrets