The policy-controller admission controller can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign.
policy-controller also resolves the image tags to ensure the image being ran is not different from when it was admitted.
See the installation instructions for more information.
Today, policy-controller can automatically validate signatures and
attestations on container images.
Enforcement is configured on a per-namespace basis, and multiple keys are supported.
We're actively working on more features here.
For more information about the policy-controller, have a look at our documentation website here.
Please see the examples/ directory for example policies etc.
This repo includes a policy-tester tool which enables checking a policy against
various images.
In the root of this repo, run the following to build:
make policy-tester
Then run it pointing to a YAML file containing a ClusterImagePolicy, and an image to evaluate the policy against:
(set -o pipefail && \
./policy-tester \
--policy=test/testdata/policy-controller/tester/cip-public-keyless.yaml \
--image=ghcr.io/sigstore/cosign/cosign:v1.9.0 | jq)
You can spin up a local Kind K8s cluster to test local changes to the policy controller using the local-dev
CLI tool. Build the tool with make local-dev and then run it with ./bin/local-dev setup.
It optionally accepts the following:
--cluster-name
--k8s-version
--registry-url
You can clean up the cluster with ./bin/local-dev clean --cluster-name=<my cluster name>.
You will need to have the following tools installed to use this:
If you would like to use the local Kind registry instead of a live one,
do not include the registry-url flag when calling the CLI. It will default to using the local registry. But before running the CLI, you must add the following line to your /etc/hosts file first:
127.0.0.1 registry.local
This policy-controller's versions are able to run in the following versions of Kubernetes:
policy-controller > 0.2.x |
|
|---|---|
| Kubernetes 1.23 | ✓ |
| Kubernetes 1.24 | ✓ |
| Kubernetes 1.25 | ✓ |
note: not fully tested yet, but can be installed
We are intending to move to a monthly cadence for minor releases. Minor releases will be published around the beginning of the month. We may cut a patch release instead, if the changes are small enough not to warrant a minor release. We will also cut patch releases periodically as needed to address bugs.
Should you discover any security issues, please refer to Sigstore's security policy.