Securing Your Kubernetes Supply Chain with Sigstore and Cosign

Introduction

In the world of cloud-native development, the security of your software supply chain is paramount. A compromised container image can introduce vulnerabilities and backdoors into your production environment, leading to devastating consequences. This post provides a practical tutorial on how to secure your Kubernetes supply chain by signing and verifying container images using Sigstore and Cosign.

The Challenge of Container Image Security

Container images are the building blocks of modern applications, but they also present a significant security challenge. How can you be sure that the image you are deploying to your Kubernetes cluster is the same one that was built by your CI/CD pipeline? How can you verify that it hasn’t been tampered with or replaced by a malicious actor?

This is where image signing comes in. By cryptographically signing your container images, you can create a verifiable chain of custody that ensures the integrity and authenticity of your software artifacts.

What is Sigstore?

Sigstore is an open-source project that aims to make it easy to sign and verify software artifacts. It provides a set of tools and services that simplify the process of generating, managing, and verifying cryptographic signatures. The key components of Sigstore are:

Fulcio: A free root certificate authority that issues short-lived certificates based on OpenID Connect (OIDC) identities. This allows you to sign artifacts without having to manage long-lived private keys.
Rekor: A transparency log that records all signing events. This provides a public, immutable record of who signed what and when.
Cosign: A command-line tool that makes it easy to sign and verify container images and other artifacts.

Signing a Container Image with Cosign

Let’s walk through the process of signing a container image with Cosign. First, you’ll need to install the Cosign CLI. Then, you can sign an image with a single command:

# Sign the container image
cosign sign my-registry/my-image:latest

When you run this command, Cosign will:

Prompt you to authenticate with your OIDC provider (e.g., Google, GitHub, Microsoft).
Generate a key pair and a short-lived certificate from Fulcio.
Sign the container image and push the signature to the OCI registry.
Record the signing event in the Rekor transparency log.

The signature is stored in the same registry as the image, with a tag derived from the image’s digest.

Verifying a Container Image with Cosign

Once an image is signed, you can verify its signature using the cosign verify command:

# Verify the container image
cosign verify my-registry/my-image:latest

Cosign will fetch the signature and the certificate from the registry, and then check the transparency log to ensure that the signing event is present. If the signature is valid and the certificate is trusted, the command will exit with a zero status code.

Enforcing Image Verification in Kubernetes

To enforce that only signed and verified images are deployed to your Kubernetes cluster, you can use a policy engine like Kyverno or OPA Gatekeeper. These tools can be configured to intercept all pod creation requests and check for a valid Cosign signature.

Example: Kyverno Policy

Here’s an example of a Kyverno policy that enforces image verification:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: check-image-signature
spec:
  validationFailureAction: enforce
  rules:
    - name: check-image
      match:
        resources:
          kinds:
            - Pod
      verifyImages:
        - image: "my-registry/my-image:*"
          key: |
            -----BEGIN PUBLIC KEY-----
            MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...
            -----END PUBLIC KEY-----

This policy will ensure that any pod that uses an image from my-registry/my-image has a valid signature from the specified public key.

Conclusion

Securing your software supply chain is a critical aspect of modern DevSecOps. By using Sigstore and Cosign to sign and verify your container images, you can significantly improve the security posture of your Kubernetes environment. The tools are easy to use and integrate seamlessly with existing CI/CD pipelines and Kubernetes admission controllers. Start signing your images today and build a more secure future for your cloud-native applications.