Verifying image signature

[Jeremy Cowan]

Hi there, I'm new to SIG-Security and I apologize in advance if this is not the right forum for this post. I was curious if the community had a strong opinion about where the verification of image signatures should occur. For example, should it be implemented by the kubelet or should it be implement by an admission controller like OPA/Gatekeeper or a purpose built admission controller like Connoisseur? I found 1 example, https://github.com/developer-guy/container-image-sign-and-verify-with-cosign-and-opa, of OPA/Gatekeeper with Cosign. It uses the HTTP send method to send the image URI to a wrapper service for Cosign which returns whether the signature if valid. Do you this this will pattern will prevail or is there a better way to do this? 

-Jeremy

[Hector Fernandez]

Hello,

The idea of having the image signature validation at kubelet level sounds good to reduce the latency when creating resources. However, the user experience would be affected.
The kubelet will report the failure once the Pod has already been created. If we identify the steps: the k8s API creates the pod, waits for the scheduler to allocate the pod, schedules that pod on a node, and finally the kubelet fails to create the container due to a wrong signature.

I'd personally recommend to fail in an earlier stage.

Hector

[Tabitha Sable]

Heya, Jeremy,

I think this is a topic that would be of interest to many SIG Security folks, and could potentially turn into either a KEP or an open-source project if there's sufficient interest.

I'd recommend you bring it up in #sig-security on Kubernetes slack, or come to a meeting and share it with the group there.

Thanks for writing!

Tabitha