Integrity Verifier can be deployed with operator. You can configure IntegrityVerifier custom resource to define the configuration of IV.
Integrity Verifier supports two modes of signature verification.
pgp: use gpg key for signing. certificate is not used.x509: use signing key with X509 public key certificate.
spec.verifyType should be set either pgp (default) or x509.
apiVersion: apis.integrityverifier.io/v1alpha1
kind: IntegrityVerifier
metadata:
name: integrity-verifier-server
spec:
verifierConfig:
verifyType: pgpThe list of verification key names should be set as keyRingConfigs in this CR.
The operator will start installing Integrity Verifier when all key secrets listed here are ready.
Also, you can set SignPolicy here. This policy defines signers that are allowed to create/update resources with their signature in some namespaces. (see How to configure SignPolicy for detail.)
spec:
keyRingConfigs:
- name: keyring-secret
signPolicy:
policies:
- namespaces:
- "*"
signers:
- "SampleSigner"
- scope: "Cluster"
signers:
- "SampleSigner"
signers:
- name: "SampleSigner"
secret: keyring-secret
subjects:
- email: "[email protected]"You can define one or more ResourceSigningProfiles that are installed by this operator. This configuration is not set by default. (see How to configure ResourceSigningProfile for detail.)
spec:
resourceSigningProfiles:
- name: sample-rsp
targetNamespaceSelector:
include:
- "secure-ns"
protectRules:
- match:
- kind: "ConfigMap"
name: "*"You can define which namespace is not checked by Integrity Verifier even if ResourceSigningProfile is there.
Wildcard "*" can be used for this config. By default, Integrity Verifier checks RSPs in all namespaces except ones in kube-* and openshift-* namespaces.
spec:
inScopeNamespaceSelector:
include:
- "*"
exclude:
- "kube-*"
- "openshift-*"Some resources are not relevant to the signature-based protection by Integrity Verifier.
The resources defined here are not processed in IV admission controller (always returns allowed).
spec:
verifierConfig:
ignore:
- kind: Event
- kind: Lease
- kind: Endpoints
- kind: TokenReview
- kind: SubjectAccessReview
- kind: SelfSubjectAccessReviewYou can set run mode. Two modes are available. enforce mode is default. detect mode always allows any admission request, but signature verification is conducted and logged for all protected resources. enforce is set unless specified.
spec:
verifierConfig:
mode: "detect"Specify user group for IV admin with comma separated strings like the following. This value is empty by default.
spec:
verifierConfig:
ivAdminUserGroup: "system:masters,system:cluster-admins"Also, you can define IV admin role. This role will be created automatically during installation when autoIVAdminRoleCreationDisabled is false (default).
spec
security
ivAdminSubjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:masters
autoIVAdminRoleCreationDisabled: falseConsole log includes stdout logging from IV server. Context log includes admission control results. Both are enabled as default. You can specify namespaces in scope. '*' is wildcard. '-' is empty stiring, which implies cluster-scope resource.
spec:
verifierConfig:
log:
consoleLog:
enabled: true
inScope:
- namespace: '*'
- namespace: '-'
contextLog:
enabled: true
inScope:
- namespace: '*'
- namespace: '-'
logLevel: info