Verify Rancher Application Collection images
This section describes how to verify applications and images from the Rancher Application Collection with Kubewarden.
You perform image verification by deploying the Verify Image Signatures policy and configuring the PolicyServers to pull the images' signature layers from the Application Collection.
You need an access token or service account authentication for Application Collection.
Authenticating to Rancher Application Collection​
Following the Application Collection docs, create an access token and configure the cluster so it can pull from the Application Collection registry with a Docker Config Secret, such as this one:
$ kubectl create secret docker-registry application-collection \
--docker-server=dp.apps.rancher.io \
--docker-username=<mymail> \
--docker-password=<mytoken>
Create Secret for the PolicyServer so they can pull from Rancher Application Collection​
The PolicyServer in use needs configuration so it can pull the image layers that contain the signatures.
Follow the private registries how-to for
Policy Servers to create a Docker Config Secret in the PolicyServer's
namespace. You do this by instantiating a Secret with the same contents as
the previous application-collection
.
For PolicyServer default
, installed with the kubewarden-defaults
Helm chart
under the kubewarden
namespace, it would be:
$ kubectl create secret docker-registry application-collection-kw -n kubewarden \
--docker-server=dp.apps.rancher.io \
--docker-username=<mymail> \
--docker-password=<mytoken>
Configure PolicyServers to use the new Secret​
If using the PolicyServer default
from the kubewarden-defaults
Helm chart,
configure it with the imagePullSecret application-collection-kw
. This is in
the same namespace and done by setting the following values for the chart:
$ helm upgrade -i --wait --namespace kubewarden \
--create-namespace kubewarden-defaults kubewarden/kubewarden-defaults \
--reuse-values \
--set policyServer.imagePullSecret=application-collection-kw
If you are using other PolicyServers, set their
spec.imagePullSecret
. The Secret
must be in the same namespace as the PolicyServer.
Apply the policy​
You can apply a ClusterAdmissionPolicy by making use of the Verify Image
Signatures
policy. This policy checks all container images from
dp.apps.rancher.io/containers/*
. The policy supports OCI registries and
artifacts.
You can configure the policy settings with the public
key
from Application Collection (at the time of writing) in the pubKeys
array.
$ kubectl apply -f - <<EOF
apiVersion: policies.kubewarden.io/v1
kind: ClusterAdmissionPolicy
metadata:
annotations:
artifacthub/pkg: verify-image-signatures/verify-image-signatures/0.2.9
name: check-appcollection-signatures
spec:
backgroundAudit: true
mode: protect
module: ghcr.io/kubewarden/policies/verify-image-signatures:v0.2.9
mutating: true
policyServer: default
# On first policy call, the policy-server downloads the image layers to
# verify the signatures. Later on it's cached. It may be useful to increase
# this timeout:
timeoutSeconds: 30 # default 10 seconds.
rules:
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["pods"]
operations: ["CREATE", "UPDATE"]
- apiGroups: [""]
apiVersions: ["v1"]
resources: ["replicationcontrollers"]
operations: ["CREATE", "UPDATE"]
- apiGroups: ["apps"]
apiVersions: ["v1"]
resources: ["deployments", "replicasets", "statefulsets", "daemonsets"]
operations: ["CREATE", "UPDATE"]
- apiGroups: ["batch"]
apiVersions: ["v1"]
resources: ["jobs", "cronjobs"]
operations: ["CREATE", "UPDATE"]
settings:
modifyImagesWithDigest: true
rule: PublicKey
signatures:
- image: dp.apps.rancher.io/containers/*
pubKeys:
# Note: this array constitutes an AND in validation, not an OR.
- |-
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA02FtEt5gBywiyxbmkVsb
CujcBg5lur0kpEbfDk10gCcs9shVEqEO3ZsOXHursgoaDAWqdPtsYhsgczGeJz9w
Aw+r6BuRV8YOkE37A8s/7IOQUW0tlqtnt11OKhIiZ9+e5l3ed2H1ymKQO3dgreSy
rShqYdA3hrItswyp41ApF6zhjSPlR6lAmq3X4wMYLAPptmzfxigTnR4hxB5UNPhs
i2qA4vLrUM/i+NohECuLr1EAymvupH26HLEdM+eZnlQn+WbhIP5Grc4ba7XrBv7K
kywgTC7CxkiJZR0mUcUD2wTX/Je8Ewj6oPSalx09e2jtzvmU5Kr9XUyMF7Zsj5CA
IwIDAQAB
-----END PUBLIC KEY-----
EOF
$ kubectl apply -f mypolicy.yml
$ kubectl get admissionpolicies -n default # wait for status active
To test it, deploy a Pod with a signed image from Application Collection:
$ kubectl run nginx --image [dp.apps.rancher.io/containers/nginx:1.24.0](http://dp.apps.rancher.io/containers/nginx:1.24.0) --overrides='{"spec": {"imagePullSecrets":[{"name": "application-collection"}]}}'
pod/nginx created
You can inspect the logs of your policy-server Pod to see that the verification took place.