Skip to content

Commit

Permalink
Merge pull request #624 from ooq/fix-signer-tutorial
Browse files Browse the repository at this point in the history
Update signer tutorials
  • Loading branch information
ooq authored Oct 20, 2022
2 parents d8d79aa + 2a8c40f commit 3348562
Show file tree
Hide file tree
Showing 15 changed files with 90 additions and 81 deletions.
61 changes: 36 additions & 25 deletions docs/signer.md
Original file line number Diff line number Diff line change
Expand Up @@ -218,10 +218,10 @@ First we need to pick a GCP project and enable those services within the project

6. Create vulnerability signing policy.

An example policy is in the samples.
We have two example policies, `policy-strict.yaml` and `policy-loose.yaml`. They differ in that `policy-loose.yaml` has higher severity thresholds.

```shell
cat samples/signer/policy.yaml
cat samples/signer/policy-strict.yaml
apiVersion: kritis.grafeas.io/v1beta1
kind: VulnzSigningPolicy
Expand All @@ -233,33 +233,44 @@ First we need to pick a GCP project and enable those services within the project
maximumUnfixableSeverity: MEDIUM
allowlistCVEs:
- projects/goog-vulnz/notes/CVE-2020-10543
- projects/goog-vulnz/notes/CVE-2020-10878
- projects/goog-vulnz/notes/CVE-2020-14155
cat samples/signer/policy-loose.yaml
apiVersion: kritis.grafeas.io/v1beta1
kind: VulnzSigningPolicy
metadata:
name: my-vsp
spec:
imageVulnerabilityRequirements:
maximumFixableSeverity: CRITICAL
maximumUnfixableSeverity: CRITICAL
allowlistCVEs:
- projects/goog-vulnz/notes/CVE-2020-10543
```

7. Run signer on a built image (pass example).

1. Build and push an example good image.
1. Build and push an example image.

```shell
docker build -t gcr.io/$PROJECT_ID/signer-test:good -f samples/signer/Dockerfile.good .
docker push gcr.io/$PROJECT_ID/signer-test:good
docker build -t gcr.io/$PROJECT_ID/signer-test:example -f samples/signer/Dockerfile .
docker push gcr.io/$PROJECT_ID/signer-test:example
```

2. Note down the image digest url.

```shell
export GOOD_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:good --format '{{index .RepoDigests 0}}')
export EXAMPLE_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:example --format '{{index .RepoDigests 0}}')
```

3. Run the signer.
3. Run the signer with a loose policy.

```shell
./signer \
-v=10 \
-alsologtostderr \
-image=$GOOD_IMG_URL \
-policy=samples/signer/policy.yaml \
-image=$EXAMPLE_IMG_URL \
-policy=samples/signer/policy-loose.yaml \
-kms_key_name=$KMS_KEY_NAME \
-kms_digest_alg=$KMS_DIGEST_ALG \
-note_name=$NOTE_NAME
Expand All @@ -276,44 +287,44 @@ First we need to pick a GCP project and enable those services within the project
-mode=check-only \
-v=10 \
-alsologtostderr \
-image=$GOOD_IMG_URL \
-policy=samples/signer/policy.yaml \
-image=$EXAMPLE_IMG_URL \
-policy=samples/signer/policy-loose.yaml \
```

```shell
./signer \
-mode=bypass-and-sign \
-v=10 \
-alsologtostderr \
-image=$GOOD_IMG_URL \
-image=$EXAMPLE_IMG_URL \
-kms_key_name=$KMS_KEY_NAME \
-kms_digest_alg=$KMS_DIGEST_ALG \
-note_name=$NOTE_NAME
```

8. Run signer on a built image (fail example).

1. Build and push an example good image.
1. Build and push an example image (skippable if image from Step.7 is not deleted).

```shell
docker build -t gcr.io/$PROJECT_ID/signer-test:bad -f samples/signer/Dockerfile.bad .
docker push gcr.io/$PROJECT_ID/signer-test:bad
docker build -t gcr.io/$PROJECT_ID/signer-test:example -f samples/signer/Dockerfile .
docker push gcr.io/$PROJECT_ID/signer-test:example
```

2. Note down the image digest url.

```shell
export BAD_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:bad --format '{{index .RepoDigests 0}}')
export EXAMPLE_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:example --format '{{index .RepoDigests 0}}')
```

3. Run the signer.
3. Run the signer with a strict policy.

```shell
./signer \
-v=10 \
-alsologtostderr \
-image=$BAD_IMG_URL \
-policy=samples/signer/policy.yaml \
-image=$EXAMPLE_IMG_URL \
-policy=samples/signer/policy-strict.yaml \
-kms_key_name=$KMS_KEY_NAME \
-kms_digest_alg=$KMS_DIGEST_ALG \
-note_name=$NOTE_NAME
Expand All @@ -330,20 +341,20 @@ First we need to pick a GCP project and enable those services within the project
-mode=check-only \
-v=10 \
-alsologtostderr \
-image=$BAD_IMG_URL \
-policy=samples/signer/policy.yaml \
-image=$EXAMPLE_IMG_URL \
-policy=samples/signer/policy-strict.yaml \
```

```shell
./signer \
-mode=bypass-and-sign \
-v=10 \
-alsologtostderr \
-image=$BAD_IMG_URL \
-image=$EXAMPLE_IMG_URL \
-kms_key_name=$KMS_KEY_NAME \
-kms_digest_alg=$KMS_DIGEST_ALG \
-note_name=$NOTE_NAME
```

With `bypass-and-sign` mode, an attestation will also be created for the bad image.
With `bypass-and-sign` mode, an attestation will still be created for the image.

File renamed without changes.
5 changes: 0 additions & 5 deletions samples/policy-check/Dockerfile.bad

This file was deleted.

8 changes: 4 additions & 4 deletions samples/policy-check/cloudbuild-bad.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Cloudbuild pipeline for a build with an image
# that passes the vuln policy
# that does not pass the vuln policy
steps:
# Build a 'bad' image
# Build a test image
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
args:
- -c
- |
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.bad .
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
id: build
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
Expand All @@ -27,7 +27,7 @@ steps:
-v=10 \
-alsologtostderr \
-image=$(/bin/cat image-digest.txt) \
-policy=policy.yaml \
-policy=policy-strict.yaml \
-mode=check-only
waitFor: push
id: vulnsign
Expand Down
6 changes: 3 additions & 3 deletions samples/policy-check/cloudbuild-good.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Cloudbuild pipeline for a build with an image
# that passes the vuln policy
steps:
# Build a 'good' image
# Build a test image
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
args:
- -c
- |
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.good .
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
id: build
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
Expand All @@ -27,7 +27,7 @@ steps:
-v=10 \
-alsologtostderr \
-image=$(/bin/cat image-digest.txt) \
-policy=policy.yaml \
-policy=policy-loose.yaml \
-mode=check-only
waitFor: push
id: vulnsign
Expand Down
10 changes: 10 additions & 0 deletions samples/policy-check/policy-loose.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: kritis.grafeas.io/v1beta1
kind: VulnzSigningPolicy
metadata:
name: my-vsp
spec:
imageVulnerabilityRequirements:
maximumFixableSeverity: CRITICAL
maximumUnfixableSeverity: CRITICAL
allowlistCVEs:
- projects/goog-vulnz/notes/CVE-2021-20305
10 changes: 10 additions & 0 deletions samples/policy-check/policy-strict.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: kritis.grafeas.io/v1beta1
kind: VulnzSigningPolicy
metadata:
name: my-vsp
spec:
imageVulnerabilityRequirements:
maximumFixableSeverity: MEDIUM
maximumUnfixableSeverity: MEDIUM
allowlistCVEs:
- projects/goog-vulnz/notes/CVE-2021-20305
16 changes: 0 additions & 16 deletions samples/policy-check/policy.yaml

This file was deleted.

File renamed without changes.
5 changes: 0 additions & 5 deletions samples/signer/Dockerfile.bad

This file was deleted.

8 changes: 4 additions & 4 deletions samples/signer/cloudbuild-bad.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Cloudbuild pipeline for a build with an image
# that passes the vuln policy
# that does not pass the vuln policy
steps:
# Build a 'bad' image
# Build a test image
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
args:
- -c
- |
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.bad .
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
id: build
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
Expand All @@ -27,7 +27,7 @@ steps:
-v=10 \
-alsologtostderr \
-image=$(/bin/cat image-digest.txt) \
-policy=policy.yaml \
-policy=policy-strict.yaml \
-kms_key_name=${_KMS_KEY_NAME} \
-kms_digest_alg=${_KMS_DIGEST_ALG} \
-note_name=${_NOTE_NAME}
Expand Down
6 changes: 3 additions & 3 deletions samples/signer/cloudbuild-good.yaml
Original file line number Diff line number Diff line change
@@ -1,13 +1,13 @@
# Cloudbuild pipeline for a build with an image
# that passes the vuln policy
steps:
# Build a 'good' image
# Build a test image
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
args:
- -c
- |
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.good .
docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile .
id: build
- name: gcr.io/cloud-builders/docker
entrypoint: /bin/bash
Expand All @@ -27,7 +27,7 @@ steps:
-v=10 \
-alsologtostderr \
-image=$(/bin/cat image-digest.txt) \
-policy=policy.yaml \
-policy=policy-loose.yaml \
-kms_key_name=${_KMS_KEY_NAME} \
-kms_digest_alg=${_KMS_DIGEST_ALG} \
-note_name=${_NOTE_NAME}
Expand Down
10 changes: 10 additions & 0 deletions samples/signer/policy-loose.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: kritis.grafeas.io/v1beta1
kind: VulnzSigningPolicy
metadata:
name: my-vsp
spec:
imageVulnerabilityRequirements:
maximumFixableSeverity: CRITICAL
maximumUnfixableSeverity: CRITICAL
allowlistCVEs:
- projects/goog-vulnz/notes/CVE-2021-20305
10 changes: 10 additions & 0 deletions samples/signer/policy-strict.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
apiVersion: kritis.grafeas.io/v1beta1
kind: VulnzSigningPolicy
metadata:
name: my-vsp
spec:
imageVulnerabilityRequirements:
maximumFixableSeverity: MEDIUM
maximumUnfixableSeverity: MEDIUM
allowlistCVEs:
- projects/goog-vulnz/notes/CVE-2021-20305
16 changes: 0 additions & 16 deletions samples/signer/policy.yaml

This file was deleted.

0 comments on commit 3348562

Please sign in to comment.