Skip to content

Latest commit

 

History

History
33 lines (26 loc) · 2.72 KB

provisioned-infrastructure.md

File metadata and controls

33 lines (26 loc) · 2.72 KB

Provisioned resources

The following resources are provisioned and configured for this walkthrough:

In Azure:

  • Resource Group
    • Azure Container Registry (ACR)
      • SKU: Standard
    • Azure Kubernetes Service (AKS)
      • OIDC issuer enabled
      • Workload Identity enabled
      • Tier: Free
      • Gatekeeper installed via Helm
      • Ratify installed via Helm
      • The kubelet identity is granted access to ACR
    • Azure Key Vault
      • RBAC enabled
      • SKU: Standard
      • Within: 1 x509 certificate for Notation. Further details can be found here

In Microsoft Entra ID (formerly known as Azure AD):

  • An app registration + service principal
    • The app registration is used to enable appropriate access and grant permissions to the chosen pipeline
    • The service principal is an owner of the resource group and has crypto and secrets permissions for the provisioned Key Vault
  • A user-assigned managed identity for use by Ratify
    • Federated credentials are established for use by AKS workload identity
    • The managed identity is granted access to ACR

A resource group containing the icons for AKS, ACR and Key Vault. An app registration in Microsoft Entra ID. A line from the app registration to the resource group labeled "owner" to indicate ownership of the resource group by the underlying service principal. A second line from the app registration to Key Vault labeled crypto and secrets permissions to indicate the assigned roles granted to enable Notation to sign artifacts within the pipeline.

A box labeled AKS with the icons for Gatekeeper, Ratify, AKS workload identity and Kubernetes kubelet. Both Ratify and Gatekeeper are installed on the cluster. The Ratify icon has a dashed line to the icon for AKS workload identity which itself has a line to the user-assigned managed identity within Microsoft Entra ID. This is to indicate how workload identity enables the Ratify workload to impersonate the user-assigned managed identity. The icon for kubelet has a line connecting to ACR labeled "pull permissions" which allows images to be pulled from the private registry into the AKS cluster. The user-assigned managed identity icon also has a line connecting to ACR labeled "pull permissions" to allow Ratify to retrieve artifacts from the private registry.