cosign使用实践(二)与github的结合

一、背景

cosign的发展,需要karmada结合自身特点进行使用。本文通过分析几个开源软件(k8s,argo-CD,fluxcd)给出karmada使用cosign验证镜像签名的方法。

二、预置工作

安装jq

apt  install jq

安装cosign

参考cosign使用实践(一)本地验证二进制与镜像

镜像签名

查看karmada社区pr

三、验证方案对比

1)k8s使用cosign方式

其使用推广和镜像发布帐号([email protected])作为身份,oidc为google验证。

cosign verify registry.k8s.io/kube-apiserver-amd64:v1.27.1 \
  --certificate-identity [email protected] \
  --certificate-oidc-issuer https://accounts.google.com \
  | jq .

该方式需要对karmada作改造(如发布使用推广账号),改动较大,故采用。

2)argo-CD使用cosign方式

采用

cosign verify \
--certificate-identity-regexp https://github.com/argoproj/argo-cd/.github/workflows/image-reuse.yaml@refs/tags/v \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
quay.io/argoproj/argocd:v2.7.0 | jq

3)fluxcd使用cosign方式

使用github

cosign verify ghcr.io/fluxcd/source-controller:v1.0.0-rc.5 \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity-regexp=^https://github.com/fluxcd/.*$ | jq

四、采用验证方案

cosign verify docker.io/karmada/karmada-aggregated-apiserver:latest \
  --certificate-oidc-issuer=https://token.actions.githubusercontent.com \
  --certificate-identity-regexp=^https://github.com/karmada-io/karmada/.*$ | jq

效果如下表示验证成功:

Verification for index.docker.io/karmada/karmada-aggregated-apiserver:latest --
The following checks were performed on each of these signatures:
  - The cosign claims were validated
  - Existence of the claims in the transparency log was verified offline
  - The code-signing certificate was verified using trusted certificate authority certificates
[
  {
    "critical": {
      "identity": {
        "docker-reference": "index.docker.io/karmada/karmada-aggregated-apiserver"
      },
      "image": {
        "docker-manifest-digest": "sha256:c6d85e111e1ca4da234e87fb48f8ff170c918a0e6893d9ac9e888a4e7cc0056f"
      },
      "type": "cosign container image signature"
    },
    "optional": {
      "1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
      "1.3.6.1.4.1.57264.1.2": "push",
      "1.3.6.1.4.1.57264.1.3": "e5277b6317ac1a4717f5fac4057caf51a5d248fc",
      "1.3.6.1.4.1.57264.1.4": "latest image to DockerHub",
      "1.3.6.1.4.1.57264.1.5": "karmada-io/karmada",
      "1.3.6.1.4.1.57264.1.6": "refs/heads/master",
      "Bundle": {
        "SignedEntryTimestamp": "MEYCIQD4R9XlhgQkjVAg4XuW857iqkNrSxbQB9k3x4Ie8IshgAIhAILn8m+eOAjYxxcpFU42ghoiiuMnyY+Xda2CBE5WZruq",
        "Payload": {
       ...

若该镜像未签名:
cosign使用实践(二)与github的结合_第1张图片
则会报错:

root@zishen:/home/btg/install/cosign/karmada# cosign verify karmada/karmada-metrics-adapter:v1.6.0   --certificate-oidc-issuer=https://token.actions.githubusercontent.com   --certificate-identity-regexp=^https://github.com/karmada-io/karmada/.*$ | jq
Error: no signatures found for image
main.go:69: error during command execution: no signatures found for image
root@zishen:/home/btg/install/cosign/karmada# 

至此,验证成功

五、本地安装调试

1、npm安装

按照文档操作:

六、问题处理

npm ERR code EMISSINGARG

解决npm ERR! Unexpected end of JSON input while parsing near的方法汇总

七、参考

cosign官网

k8s验证镜像

argo-cd验证镜像

fluxcd验证镜像

你可能感兴趣的:(karmada,k8s,云原生,github)