nirmata.com Open in urlscan Pro
141.193.213.10  Public Scan

Submitted URL: https://u29818437.ct.sendgrid.net/ls/click?upn=GXfJxXNCOYly-2Bx3gVfFBhNgZOv4fMkmQ1gxnco7wvht-2BQP8y-2FFOAw8QhcnvG-2B8Amjvpx5RBQu0-...
Effective URL: https://nirmata.com/2021/08/12/kubernetes-supply-chain-policy-management-with-cosign-and-kyverno/
Submission: On April 27 via api from US — Scanned from DE

Form analysis 2 forms found in the DOM

GET https://nirmata.com/

<form role="search" id="searchform" action="https://nirmata.com/" class="qode_search_form" method="get">
  <div class="container">
    <div class="container_inner clearfix">
      <i class="fa fa-search"></i>
      <input type="text" placeholder="Search" name="s" class="qode_search_field" autocomplete="off">
      <input type="submit" value="Search">
      <div class="qode_search_close">
        <a href="#">
							<i class="fa fa-times"></i>
						</a>
      </div>
    </div>
  </div>
</form>

POST https://nirmata.com/wp-comments-post.php?wpe-comment-post=nirmata

<form action="https://nirmata.com/wp-comments-post.php?wpe-comment-post=nirmata" method="post" id="commentform" class="comment-form"><textarea id="comment" placeholder="Write your comment here..." name="comment" cols="45" rows="8"
    aria-required="true" minlength="15" maxlength="15360"></textarea>
  <div class="three_columns clearfix">
    <div class="column1">
      <div class="column_inner"><input id="author" name="author" placeholder="Your full name" type="text" value="" aria-required="true"></div>
    </div>
    <div class="column2">
      <div class="column_inner"><input id="email" name="email" placeholder="E-mail address" type="text" value="" aria-required="true"></div>
    </div>
    <div class="column3">
      <div class="column_inner"><input id="url" name="url" type="text" placeholder="Website" value=""></div>
    </div>
  </div>
  <p class="comment-form-cookies-consent"><input id="wp-comment-cookies-consent" name="wp-comment-cookies-consent" type="checkbox" value="yes"> <label for="wp-comment-cookies-consent">Save my name, email, and website in this browser for the next time
      I comment.</label></p>
  <p class="form-submit"><input name="submit" type="submit" id="submit_comment" class="submit" value="Submit"> <input type="hidden" name="comment_post_ID" value="7389" id="comment_post_ID">
    <input type="hidden" name="comment_parent" id="comment_parent" value="0">
  </p>
  <noscript><input type="hidden" name="JS04X7" value="NS1"></noscript>
  <noscript>
    <p><strong>Currently you have JavaScript disabled. In order to post comments, please make sure JavaScript and Cookies are enabled, and reload the page.</strong>
      <a href="http://enable-javascript.com/" rel="nofollow external">Click here for instructions on how to enable JavaScript in your browser.</a></p>
  </noscript>
</form>

Text Content

This website stores cookies on your computer. These cookies are used to improve
your website experience and provide more personalized services to you, both on
this website and through other media. To find out more about the cookies we use,
see our Privacy Policy.

We won't track your information when you visit our site. But in order to comply
with your preferences, we'll have to use just one tiny cookie so that you're not
asked to make this choice again.

Accept Decline
 * Get a Demo
 * About
   * Team
   * Partners
   * Press
 * Login

 * Get Started


 * Products
    * Nirmata Enterprise for Kyverno
    * Nirmata Policy Manager
    * Kyverno OSS

 * Use Cases
    * Pod Security
    * Software Supply Chain Security
    * Cluster Multitenancy
    * Continuous Compliance

 * Pricing
 * Blog
 * Resources
    * Case Studies
    * Content Library
    * Documentation
    * Support
    * Kyverno Training & Certification

 * Products
   * Nirmata Enterprise for Kyverno
   * Nirmata Policy Manager
   * Kyverno OSS
 * Use Cases
   * Pod Security
   * Software Supply Chain Security
   * Cluster Multitenancy
   * Continuous Compliance
 * Pricing
 * Blog
 * Resources
   * Case Studies
   * Content Library
   * Documentation
   * Support
   * Kyverno Training & Certification


KUBERNETES SUPPLY CHAIN POLICY MANAGEMENT WITH COSIGN AND KYVERNO

August 12, 2021 In Kyverno By Jim Bugwadia


KUBERNETES SUPPLY CHAIN POLICY MANAGEMENT WITH COSIGN AND KYVERNO

This is a joint blog post from Dan Lorenc (@lorenc_dan), a software engineer at
Google and a maintainer of Cosign, and Jim Bugwadia (@JimBugwadia), co-founder
of Nirmata and a maintainer of Kyverno.


INTRODUCTION

Modern software applications are built on decades of prior art and can have
hundreds of dependencies across open source, internal, and other 3rd party
components. Hence, securing software supply chains is complex. Rapid adoption of
DevOps and cloud-native technologies like containers and Kubernetes also add
complexity, but have the potential of bringing new best practices and automation
tools. In this post we will demonstrate how Cosign, an image signing and
verification tool, can be used with Kyverno, a Kubernetes policy engine. 


IMAGE SIGNING WITH COSIGN

Supply chains can be modeled as a series of links where source code, metadata.
and artifacts change hands from producer to consumer, making their way from
keyboard to production deployment. Unfortunately each of these links is a
potential place for something to go wrong, either by accident or on purpose from
an attacker!

One method for protecting these links against attacks (and mistakes!) is to use
digital signatures, which can help detect if an artifact or metadata has been
tampered with. Artifact publishers can generate a cryptographic keypair, and use
the private key to sign the artifact. They then distribute the public key
widely, and consumers can use that to verify the signature and artifact. When
these pieces all get put together, they can be used to protect the links in a
software supply chain.

Unfortunately these pieces are often harder to put together than they need to
be, which is what the Sigstore project aims to help fix! Sigstore is a set of
open source projects and shared community-driven infrastructure to help make key
distribution, certificate verification and signature discovery easy and
transparent. While Sigstore is aimed at all types of software artifacts, the
cosign sub-project is specifically targeted at signing and verifying container
images. You can get up and running quickly with cosign by following the getting
started guide here, where you can generate a keypair, sign images and verify
them on the command line.

Or, you can follow the rest of this blog post to see how to automatically verify
images before they’re deployed using Kyverno!


COSIGN IMAGE SIGNATURE VERIFICATION WITH KYVERNO

Kyverno is a policy management solution built for Kubernetes. Kyverno enables
managing policies and policy results as Kubernetes resources. Kyverno runs as an
admission controller and can allow or deny API requests based on configured
policies. Kyverno policies can also be used to mutate resources and be used to
trigger the automatic generation of new resources.

To add support for Cosign, a new type of policy rule was introduced. The new
“verifyImages” rule performs the following actions:

 1. It validate signatures for matching images using Cosign
 2. It mutates image references with the digest returned by Cosign

Using an image digest guarantees immutability of images and hence improves
security.

The rule is executed in the mutating admission controller, but runs after
resources are mutated to allow policies to mutate image registries and other
configurations, before the image signature is verified.

Here is a policy that verifies all images from the repository “ghcr.io/kyverno/”
that start with the name “test-verify-image” are signed with the provided public
key:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image
spec:
  validationFailureAction: enforce
  background: false
  rules:
    - name: check-image
      match:
        resources:
          kinds:
            - Pod
      verifyImages:
      - image: "ghcr.io/kyverno/test-verify-image:*"
        key: |-
          -----BEGIN PUBLIC KEY-----
          MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE8nXRh950IZbRj8Ra/N9sbqOPZrfM
          5/KAQN0/KjHcorm/J5yctVd7iEcnessRQjU917hmKO6JWVGHpDguIyakZA==
          -----END PUBLIC KEY-----  

The Kyverno policy rule definition allows for multiple entries, and the all
matching rules are executed as a logical AND operation i.e. they must all be
successful for the policy check to pass. This allows for use cases where an
image is signed by a build automation tool, as well as a system administrator. 

While it’s best to write policies that operate on a pod specification at the pod
level, pods are almost always managed using pod controllers such as a Deployment
or StatefulSet. Kyverno automatically generates policy rules for pod controllers
via the auto-gen feature to provide early enforcement of policies and a better
user experience.

The Kyverno auto-gen feature also works for the “verifyImages” rule. This means
that a Deployment, or any other controller, with a pod template that references
a matching image will be validated and the pod template will be updated with the
image digest! 

Let’s take a look at this in action with a step-by-step demonstration:

1. Install the latest version of Kyverno (the Kyverno docs have detailed
installation instructions from command line and the Helm chart):

kubectl create -f https://raw.githubusercontent.com/kyverno/kyverno/main/definitions/release/install.yaml

2. Patch the Kyverno webhook, to allow time for calling the OCI registry (future
releases of Kyverno will automatically adjust the defaults):

kubectl patch mutatingwebhookconfigurations kyverno-resource-mutating-webhook-cfg \
--type json \
-p='[{"op": "replace", "path": "/webhooks/0/failurePolicy", "value": "Ignore"},{"op": "replace", "path": "/webhooks/0/timeoutSeconds", "value": 15}]'

3. Install a sample image validation policy:

kubectl apply -f https://raw.githubusercontent.com/kyverno/policies/main/other/verify_image.yaml

4. Try running a signed test image as a Deployment from the Kyverno repository:

kubectl create deployment signed \
--image=ghcr.io/kyverno/test-verify-image:signed

5. Check the image reference in the deployment.

kubectl get deploy signed -o yaml | grep image

Note that the image digest was automatically added:

  - image: ghcr.io/kyverno/test-verify-image:signed@sha256:b31bfb4d0213f254d361e0079deaaebefa4f82ba7aa76ef82e90b4935ad5b105
    imagePullPolicy: IfNotPresent
    name: test-verify-image

6. Try running an unsigned image that matches the configured rule:

kubectl create deployment unsigned \
--image=ghcr.io/kyverno/test-verify-image:unsigned

This will be blocked:

error: failed to create deployment: admission webhook "mutate.kyverno.svc" denied the request:

resource Deployment/default/unsigned was blocked due to the following policies

verify-image:
  autogen-verify-image: 'image verification failed for ghcr.io/kyverno/test-verify-image:unsigned:
    signature not found'

7. Try running an image signed using a different private key that matches the
configured rule:

kubectl create deployment signed-other \
--image=ghcr.io/kyverno/test-verify-image:signed-by-someone-else

This will be blocked as well:

error: failed to create deployment: admission webhook "mutate.kyverno.svc" denied the request:

resource Deployment/default/signed-other was blocked due to the following policies

verify-image:
  autogen-verify-image: 'image verification failed for ghcr.io/kyverno/test-verify-image:signed-by-someone-else:
    invalid signature'

8. Finally try running a bare pod, with an unsigned image:

kubectl run unsigned \
--image=ghcr.io/kyverno/test-verify-image:unsigned

This verifies that Kyverno policies are applied at the pod controller and pod
levels:

Error from server: admission webhook "mutate.kyverno.svc" denied the request:

resource Pod/default/unsigned was blocked due to the following policies

verify-image:
  verify-image: 'image verification failed for ghcr.io/kyverno/test-verify-image:unsigned:
    signature not found'

Kyverno also supports Cosign integration with private OCI registries. Refer to
the Kyverno documentation for details, and to test this feature with your own
images.


WHAT THIS INTEGRATION PROVIDES

While Kubernetes supply chain security is a large topic, the ability to easily
sign and verify container images provides a foundational strategy you can
implement today. Establishing a baseline level of trust and awareness of
everything you’re running in production is a great first step in securing your
overall software supply chain. Signing your images, either manually or as part
of a build pipeline, and then verifying them before deployment, is one way to
get started on the path to more robust Kubernetes supply chain security.

As standards and tools evolve, a more comprehensive strategy would be to use
richer attestations that contain data about how an image was built and what
source code was used inside of it. These attestations should be generated
automatically by a CI/CD pipeline and can be used to write and enforce powerful
policies using engines like Kyverno.  The In-Toto project contains a large set
of metadata formats that are useful here. More on this topic at: Policy and
Attestations. Best Practices for Supply Chain… | by Dan Lorenc | Jul, 2021 |
Medium.  


WHAT’S NEXT FOR COSIGN

This is a fast moving space, and these tools are changing rapidly! Up next in
Sigstore, we’re working on firming up our APIs and specifications so more
tooling can be built on top of our infrastructure. Our signature transparency
log and code signing CA are currently Experimental, but we’re aiming to get
these up to production quality early this fall. We’re also working to integrate
Cosign signatures directly into build systems, so they can be created in CI
systems and verified in policy engines from end-to-end, automatically!


WHAT’S NEXT FOR KYVERNO

The Kyverno 1.4.2 verify images policy rule provides a simple yet powerful way
to verify container images verified by Cosign during admission controls. The
feature in Kyverno is currently in “alpha” status and the current focus is to
make this production ready. This will include adding Kyverno CLI support for
image verification via policies outside a cluster (e.g. in a CI/CD pipeline) and
metrics support. A full list of open issues is available on the Kyverno GitHub.
Learn more about Kyverno as a policy manager for Kubernetes while you’re here.

Beyond verifying image signatures, Kyverno will continue to expand support for
other supply chain security use cases, such as verify in-toto attestations as
these standards mature.


GET INVOLVED

Cosign and Kyverno are both fast moving projects with growing communities. Come
say hello in the slack channels (Cosign slack, Kyverno slack) and follow our
GitHub repositories (Cosign GitHub, Kyverno GitHub) to stay updated. We’d love
to hear from you!

Meanwhile, Nirmata will continue to update readers (and developers) here on
important DevOps topics like Kubernetes supply chain security, including Cosign
security for Kubernetes. Feel free to contact us here with any specific
questions you may have, or sign-up for our free monthly newsletter at the top
right of this page to stay informed on all things Kubernetes and Kyverno!

--------------------------------------------------------------------------------

Photo by boris misevic on Unsplash

Introducing Kyverno 1.4.2: Trusted And More Efficient!
How to Successfully Migrate from OPA to Kyverno

 * 
 * 
 * 
 * 

TAGS:

CosignDevSecOpsKubernetesKyvernoSoftware Supply Chain SecuritySupply Chain
Security

NO COMMENTS





POST A COMMENT

Cancel Reply

Save my name, email, and website in this browser for the next time I comment.



Currently you have JavaScript disabled. In order to post comments, please make
sure JavaScript and Cookies are enabled, and reload the page. Click here for
instructions on how to enable JavaScript in your browser.



PRODUCT

 * Enterprise for Kyverno
 * Policy Manager
 * Kyverno OSS
 * Pricing

USE CASES

 * Pod Security
 * Software Supply Chain Security
 * Cluster Multitenancy
 * Continuous Compliance

RESOURCES

 * Blog
 * Videos
 * Webinars
 * Datasheets
 * Whitepapers
 * All Case Studies

COMPANY

 * Our Team
 * Careers
 * About Us
 * Partners
 * Get a Demo

Terms of UsePrivacy PolicySecurity Policy
6203 San Ignacio Avenue
Suite 110,
San Jose, CA 95119© Nirmata 2023, All Right Reserved.



Follow us

X



CLOSE



CLOSE



CLOSE



CLOSE

CLOSE
Radhesh Kanumury

Radhesh is Managing Partner of Arka Venture Labs. Arka Venture Labs is an
Accelerator fund which assists Indian B2B Startups to foray into US by providing
a combination of Funding, Mentoring and access to Silicon Valley Ecosystem. Arka
Venture Labs was formed in August 2018 and has made 9 investments so far. Prior
to starting Arka, Radhesh was Venture Advisor to Blume Ventures, focusing on
early stage B2B Startups investments. Before this he was leading the Global
Entrepreneur Program, for IBM India and South Asia. He exhibited strong
leadership in steering the Startup initiative of IBM from scratch to one of the
companies to be reckoned by the Startup ecosystem in India and generating strong
revenues for IBM India Cloud business. He has helped many B2B startups scale in
their journey by mentoring them, facilitating access to funds and customers.

He has core competency in evaluating startups leveraging technology and advising
them on areas of improvement from business and technology standpoint. He
conceptualized IBM India`s Startup challenge called IBM India Smartcamp and
successfully executed the same. Radhesh has personally curated the startups for
the finals, many of whom got funding either for the first time or for their
subsequent rounds.He also worked with large enterprises in assisting them in
identifying the next generation innovations through joint hackathons and startup
challenges.

Prior to this role at IBM he was working as a Software Architect where he was
designing Software solutions for Enterprise Clients, ISVs and System
Integrators. He created many First of its kind solutions and led several key
Sales wins for IBM. Radhesh has strong skills in building strategic
relationships with Partner organizations.

CLOSE

Cloud Edition

Best for line of business
teams

GET STARTED

Private Edition

Built for large enterprises
with multiple teams

GET STARTED
X
Anubhav Sharma, VP of Business Development

Anubhav is VP of Business Development and Customer Success. He has 20+ years of
experience in building and growing businesses across service provider,
enterprise and commercial sectors. He has led functions in business development,
product management, marketing, delivery and operations through his career, and
most recently served as GM for the $250M Web-scale Services business at Cisco.

Anubhav is passionate about building new solutions and teams, and growing new
market segments. At Cisco, he grew business 30-40% annually for many years while
also building new offers, a world class team and a global delivery model.

Throughout his career, Anubhav has straddled technical, operational and business
domains to bring new solutions around real-time analytics, operational
assessments and network lifecycle management. Most recently, he was involved in
bringing in new offers around recently launched Business Critical Services, a
$2.5B business for Cisco. Before leaving Cisco, Anubhav signed off with a $350M
multi-year deal built entirely around new solutions and engagement model with an
innovative commercial structure.

Anubhav brings to Nirmata’s product development and organization an extensive
experience developing both custom and standard subscription services, which was
significantly formed by his time spent building analytics solutions at Cisco.
This perspective on building bleeding edge solutions is evident in his business
outlook, which recognizes that best solutions are built with the customers, by
listening to them and partnering in risk taking when breaking new ground.

Anubhav holds bachelor’s degrees in both physics and electronics and
telecommunications from Mumbai University and an MBA from San Jose State
University.

CLOSE
Ritesh Patel, Founder & VP of Products

Ritesh Patel is co-founder of Nirmata and has 20+ years experience building and
delivering enterprise software solutions and has led highly successful software
and business development teams. Ritesh began his career in engineering for high
tech firms, and has since migrated to the business side of the operation. In his
founding of Nirmata, Ritesh sought to bring his broad spectrum of experience to
a single previously unaddressed industry problem through the creation of a new
business. To Nirmata’s leadership, Ritesh brings a rare skill set incorporating
experience with the entire chain of software development activities. This
background has contributed to Nirmata’s commitment to empowering all employees
to do the hard work required to deliver tools that solve tough problems.

Prior to Nirmata, Ritesh led business development at Brocade, where he was
responsible for defining the firm’s cloud strategy, and oversaw developments
that advanced the entire cloud “as-a-service” market. Through cloud and
security-related initiatives, Ritesh and his team at Brocade were able to
package Brocade’s plethora of IT infrastructure products into enterprise-ready
solutions including OpenStack and CloudStack that pioneered widespread cloud
computing implementation. In addition to these technical achievements, Ritesh
succeeded in creating an extensive partner ecosystem to efficiently match these
solutions with urgent customer needs.

Ritesh has also held key technical positions at Trapeze Networks (where he
created industry award-winning products), Nortel, and Motorola. Ritesh holds an
MBA from UC Berkeley and a master’s degree in computer engineering from Michigan
State University.

CLOSE
Damien Toledo, Founder & VP of Engineering

Damien Toledo is Co-Founder and Vice President of Engineering, overseeing
research and development, operations, maintenance, and delivery of Nirmata
products. Damien brings over 20 years experience leading global engineering
teams and delivering Enterprise grade solutions.

Since 1998 when he arrived in Silicon Valley from France to pursue the
possibilities of US startup culture, Damien has held a number of engineering
positions at high tech firms, each of which playing a role in the concept
development for Nirmata. Building on lessons learned in management
transformation at Jetstream Communications in the early 2000s, Damien built the
Meru Networks Network Management team and Network Management solution from the
ground up as one of the firm’s original members. Meru Networks went public in
2010 (NASDAQ:MERU).

Subsequent to his work at Meru, Damien led the transformation of the engineering
team at Netscout to build an agile organization. At Netscout, he championed the
adoption of Continuous Integration best practices across a team of 200+
engineers and 7 development sites, which resulted in reducing the software
release cycles by 300%. While at Netscout and together with Nirmata co-founder
Jim Bugwadia, Damien oversaw the adoption of microservices while searching for
solutions to operating quickly in the cloud, and developed the foundations for
what would become Nirmata.

Damien holds a master’s degree in computer science from University of Technology
of Compiègne.

CLOSE
Jim Bugwadia, Founder & CEO

Jim Bugwadia has 20+ years experience building and leading effective teams and
has created software that powers communications systems around the world.

Jim was among the original architects and business leaders within Cisco’s cloud
automation practice, where he helped grow revenues to over $250M. During Jim’s
tenure, IDC recognized the practice as #1 in global cloud services.

Prior to his work at Cisco, Jim led engineering teams at startups including Pano
Logic, a desktop virtualization startup recognized for its innovative design by
Wired magazine; Trapeze Networks, a wireless pioneer; and Jetstream
Communications, a telecom equipment manufacturer. Jim started his career
developing C++ software at Motorola for cellular network infrastructure where
his team launched the world’s first cellular telephony that used code division
multiplexing to optimize radio frequency usage.

Jim’s passion is to simplify the use of complex systems by providing well
designed products that drive mass adoption of new technologies. As software has
become mission critical to all businesses, Jim and his co-founders started
Nirmata to help enterprises automate the delivery and management of
applications. Jim currently develops software in Java, Golang, and Javascript,
and is a Certified Kubernetes Administrator who actively participates in
Nirmata’s full product lifecycle.

Over the course of his career, Jim has logged over $1.3B in revenue, 6 patent
filings, 8 major product launches, and 29 years experience coding.

Jim holds a bachelor’s degree in engineering from Chicago State University and a
master’s degree in computer science from the University of Illinois at Chicago.

CLOSE