End to end workflow to build, sign, and deploy a distroless image using apko/cosign/kyverno
Published in
2 min readMar 2, 2024
in this example, I am trying to build an distroless image using apko tool, and then sign it using cosign, verify it, and then verify it against a cluster policy using kyverno cli, then deploy it to a k3s cluster.
the code is here: https://github.com/whoissqr/cg-test-keyless-sign/tree/2.0
container definition yaml
contents:
repositories:
- https://dl-cdn.alpinelinux.org/alpine/edge/main
packages:
- alpine-base
cmd: /bin/sh -l
# optional environment configuration
environment:
PATH: /usr/sbin:/sbin:/usr/bin:/bin
pod yaml
apiVersion: v1
kind: Pod
metadata:
name: cg
namespace: app
spec:
containers:
- image: ghcr.io/whoissqr/cg-test-keyless-sign:latest
name: cg-test-keyless-sign
resources: {}
Cluster Policy
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: check-image-keyless
spec:
validationFailureAction: Enforce
failurePolicy: Fail
background: false
webhookTimeoutSeconds: 30
rules:
- name: check-image-keyless
match:
any:
- resources:
kinds:
- Pod
verifyImages:
- verifyDigest: false
imageReferences:
- "ghcr.io/whoissqr/cg-test-keyless-sign*"
attestors:
- entries:
- keyless:
subject: "https://github.com/whoissqr/cg-test-keyless-sign/.github/workflows/main.yml@refs/heads/main"
issuer: "https://token.actions.githubusercontent.com"
rekor:
url: https://rekor.sigstore.dev
GitHub action yaml
name: Publish and Sign Container Image
on: workflow_dispatch
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Install cosign
uses: sigstore/cosign-installer@v3.2.0
- name: Check install!
run: cosign version
- name: Log into ghcr.io
uses: docker/login-action@master
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: distroless/actions/apko-build@main
with:
config: foo.yaml
tag: ghcr.io/${{ github.repository }}:latest
- uses: distroless/actions/apko-publish@main
id: push-step
with:
config: foo.yaml
tag: ghcr.io/${{ github.repository }}:latest
- name: Sign the images with GitHub OIDC Token
env:
COSIGN_EXPERIMENTAL: "true"
run: |
echo "dont sign image"
cosign sign --yes ${{ steps.push-step.outputs.digest }}
- name: (optional) Verify the images
run: |
cosign verify ghcr.io/whoissqr/cg-test-keyless-sign \
--certificate-identity https://github.com/whoissqr/cg-test-keyless-sign/.github/workflows/main.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com | jq
- name: (optional) Install Kyverno CLI
if: always()
uses: kyverno/action-install-cli@v0.2.0
- name: (optional) Dry run policy using Kyverno CLI
if: always()
run: |
kyverno version
kyverno apply ./k3s/policy-check-image-keyless.yaml --resource ./k3s/pod.yaml
# kubectl get clusterpolicies -o yaml | kyverno apply - --resource ./k3s/pod.yaml -v 10
- name: Create k3s cluster
uses: debianmaster/actions-k3s@master
id: k3s
with:
version: 'latest'
- name: Install Kyverno chart
run: |
helm repo add kyverno https://kyverno.github.io/kyverno/
helm repo update
helm install --atomic kyverno kyverno/kyverno -n kyverno --create-namespace
sleep 10
- name: Apply image attestation policy
run: |
kubectl apply -f ./k3s/policy-check-image-keyless.yaml
- name: Deploy pod to k3s
if: always()
run: |
set -x
kubectl create ns app
kubectl apply -f ./k3s/pod.yaml
kubectl get pod -n app
kubectl describe pod cg -n app
kubectl -n app wait --for=condition=Ready --timeout=60s pod/cg
kubectl describe pod cg -n app
kubectl get pods -n app