cosign镜像签名
2022-08-16k8skinghu2144°c
A+ A-镜像签名工具
sigstore的cosign
文档地址:https://docs.sigstore.dev/
仓库地址:https://github.com/sigstore
搞清楚一个问题,镜像签名和验证,是签的啥,又是验的啥?
答:这就是这串字符 sha256:7da0f90273e1961d9c38d26809f84d4ef3cdc9b4fc330a9cab22015d7c9e8228
也叫哈希值。
一、cosign工具安装
# binary wget "https://github.com/sigstore/cosign/releases/download/v1.10.0/cosign-linux-amd64" mv cosign-linux-amd64 /usr/local/bin/cosign chmod +x /usr/local/bin/cosign # 查看版本 cosign version ______ ______ _______. __ _______ .__ __. / | / __ \ / || | / _____|| \ | | | ,----'| | | | | (----`| | | | __ | \| | | | | | | | \ \ | | | | |_ | | . ` | | `----.| `--' | .----) | | | | |__| | | |\ | \______| \______/ |_______/ |__| \______| |__| \__| cosign: A tool for Container Signing, Verification and Storage in an OCI registry. GitVersion: v1.10.0 GitCommit: 3a6088d03d7c053f9b3bd61ed07fba92133579cf GitTreeState: clean BuildDate: 2022-07-22T09:52:50Z GoVersion: go1.18.4 Compiler: gc Platform: linux/amd64
二、生成key
注意保管好密钥对
cosign generate-key-pair Enter password for private key: `cEqEZhN5PkQ9` Enter again: `cEqEZhN5PkQ9` Private key written to cosign.key Public key written to cosign.pub
三、对镜像进行签名操作
注意:
对镜像签名,不需要本地有此镜像,只需保证仓库中存在即可(dockerhub、harbor)
需登录仓库(dockerhub、harbor),因为涉及到push操作
export COSIGN_PASSWORD=cEqEZhN5PkQ9 cosign sign --key cosign.key kinghu88/caddy:latest Pushing signature to: index.docker.io/kinghu88/caddy # 看到如上,即说明签名成功
四、验证镜像签名
export COSIGN_PASSWORD=cEqEZhN5PkQ9 cosign verify --key cosign.pub kinghu88/caddy | jq . # 输出如下即正常 [ { "critical": { "identity": { "docker-reference": "index.docker.io/kinghu88/caddy" }, "image": { "docker-manifest-digest": "sha256:7da0f90273e1961d9c38d26809f84d4ef3cdc9b4fc330a9cab22015d7c9e8228" }, "type": "cosign container image signature" }, "optional": null } ]
五、安装cosigned chart包
helm repo add sigstore https://sigstore.github.io/helm-charts helm pull sigstore/cosigned tar zxvf cosigned-0.1.23.tgz # 我这里chart最新版为0.1.23 ls cosigned/ #包含如下文件 # Chart.yaml ci/ README.md templates/ values.schema.json values.yaml helm install cosigned -n cosign-system ./cosigned
需要修改values.yaml
的地方,主要是镜像被墙,和指定cosign.pub
的secret
--- cosign: secretKeyRef: name: "mysecret" policywebhook: image: repository: kinghu88/gcr.io.projectsigstore.policy-webhook:v1.8.0 version: sha256:5eee36d3e0a7b2ebd92da9cff183e77dd3e9e9e33d94cbe9bc171d084135158a webhook: image: repository: kinghu88/gcr.io.projectsigstore.cosigned:v1.8.0 version: sha256:2db9a0b5cf329e379d75eacf5318ca72f139990e54b3c60d5e818a6c0a0d9f50
# 创建secret kubectl create secret generic mysecret -n cosign-system --from-file=cosign.pub=./cosign.pub # 给需要镜像签名验证的namespace打标签,比如default。 # default在创建deployment拉取镜像时,就会被强制要求进行镜像的签名验证 kubectl label namespace default cosigned.sigstore.dev/include=true
签名不一致的镜像,会报如下错
使用了cosing签名的镜像,部署正常
标签:cosign