github.com/ishita82/trivy-gitaction@v0.0.0-20240206054925-e937cc05f8e3/docs/tutorials/kubernetes/kyverno.md (about) 1 # Attesting Image Scans With Kyverno 2 3 This tutorial is based on the following blog post by Chip Zoller: [Attesting Image Scans With Kyverno](https://neonmirrors.net/post/2022-07/attesting-image-scans-kyverno/) 4 5 This tutorial details 6 7 - Verify the container image has an attestation with Kyverno 8 9 ### Prerequisites 10 1. [Attestation of the vulnerability scan uploaded][vuln-attestation] 11 2. A running Kubernetes cluster that kubectl is connected to 12 13 ### Kyverno Policy to check attestation 14 15 The following policy ensures that the attestation is no older than 168h: 16 17 vuln-attestation.yaml 18 19 {% raw %} 20 21 ```bash 22 apiVersion: kyverno.io/v1 23 kind: ClusterPolicy 24 metadata: 25 name: check-vulnerabilities 26 spec: 27 validationFailureAction: enforce 28 webhookTimeoutSeconds: 10 29 failurePolicy: Fail 30 rules: 31 - name: not-older-than-one-week 32 match: 33 any: 34 - resources: 35 kinds: 36 - Pod 37 verifyImages: 38 - imageReferences: 39 - "CONTAINER-REGISTRY/*:*" 40 attestations: 41 - predicateType: cosign.sigstore.dev/attestation/vuln/v1 42 conditions: 43 - all: 44 - key: "{{ time_since('','{{metadata.scanFinishedOn}}','') }}" 45 operator: LessThanOrEquals 46 value: "168h" 47 ``` 48 49 {% endraw %} 50 51 ### Apply the policy to your Kubernetes cluster 52 53 Ensure that you have Kyverno already deployed and running on your cluster -- for instance through he Kyverno Helm Chart. 54 55 Next, apply the above policy: 56 ``` 57 kubectl apply -f vuln-attestation.yaml 58 ``` 59 60 To ensure that the policy worked, we can deploye an example deployment file with our container image: 61 62 deployment.yaml 63 ``` 64 apiVersion: apps/v1 65 kind: Deployment 66 metadata: 67 name: cns-website 68 namespace: app 69 spec: 70 replicas: 2 71 selector: 72 matchLabels: 73 run: cns-website 74 template: 75 metadata: 76 labels: 77 run: cns-website 78 spec: 79 containers: 80 - name: cns-website 81 image: docker.io/anaisurlichs/cns-website:0.0.6 82 ports: 83 - containerPort: 80 84 imagePullPolicy: Always 85 resources: 86 limits: 87 memory: 512Mi 88 cpu: 200m 89 securityContext: 90 allowPrivilegeEscalation: false 91 ``` 92 93 Once we apply the deployment, it should pass since our attestation is available: 94 ``` 95 kubectl apply -f deployment.yaml -n app 96 deployment.apps/cns-website created 97 ``` 98 99 However, if we try to deploy any other container image, our deployment will fail. We can verify this by replacing the image referenced in the deployment with `docker.io/anaisurlichs/cns-website:0.0.5` and applying the deployment: 100 ``` 101 kubectl apply -f deployment-two.yaml 102 103 Resource: "apps/v1, Resource=deployments", GroupVersionKind: "apps/v1, Kind=Deployment" 104 Name: "cns-website", Namespace: "app" 105 for: "deployment-two.yaml": admission webhook "mutate.kyverno.svc-fail" denied the request: 106 107 resource Deployment/app/cns-website was blocked due to the following policies 108 109 check-image: 110 autogen-check-image: | 111 failed to verify signature for docker.io/anaisurlichs/cns-website:0.0.5: .attestors[0].entries[0].keys: no matching signatures: 112 ``` 113 114 [vuln-attestation]: ../signing/vuln-attestation.md