add sigstore policy for k8s deprecated registry

[hectorj2f]

Issue #, if available:
closes #300
Description of changes:

Add a Sigstore image policy to reject any creation of Pods using the k8s deprecated registry.

I share some links where anyone can find more information to better understand the purpose of sigstore/policy-controller:

https://github.com/sigstore/policy-controller/blob/main/docs/api-types/index.md
https://docs.sigstore.dev/policy-controller/overview/
https://github.com/sigstore/helm-charts/tree/main/charts/policy-controller
https://blog.sigstore.dev/cosign-and-policy-controller-with-gke-artifact-registry-and-cloud-kms/

[hectorj2f]

I share the list of commands I used to validate your example. I feel we can add an additional README.md within the sigstore directory with this example, if you want:

helm install policy-controller -n cosign-system sigstore/policy-controller --devel --create-namespace
kubectl patch cm config-policy-controller -n cosign-system --type merge -p '{"data":{"no-match-policy":"warn"}}'
kubectl create ns policy-test
kubectl label ns policy-test policy.sigstore.dev/include=true
kubectl create example_pod.yaml
kubectl run --image=registry.k8s.io/pause:3.9 -n policy-test mytest

[jicowan]

Thanks @hectorj2f but my config-policy-controller was already set to warn. It was added when I installed the chart. See https://github.com/sigstore/helm-charts/blob/a5e67c104bb9bf0b51969f5b569a40489587c535/charts/policy-controller/templates/policy-webhook/configmap-policy-controller.yaml#L28.

[jimmyraywv]

@hectorj2f and @jicowan I have this working, I think. First, I had to opt the namespace into image policy processing with: policy.sigstore.dev/include: "true"

Then I used this test pod with 1 good and 1 bad container image:

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: policy-test
  labels:
    app: test
spec:
  containers:
    - name: test
      image: registry.k8s.io/pause:3.9
      imagePullPolicy: Always
    - name: test2
      image: k8s.gcr.io/pause:3.9
      imagePullPolicy: Always

Finally, I had to write two policies, 1 to warn, 1 to allow all others.

apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: deprecated-k8s-grc-io-registry
  annotations:
    title: Deprecated registry
    description: Warn of a registry deprecation
    learnMoreLink: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/
spec:
  mode: warn # For warnings, use 'mode: warn'
  images:
  - glob: "k8s.gcr.io/**"
  authorities:
  - name: k8s-deprecated
    static:
      action: pass
  policy:
    type: rego
    data: |
      package sigstore
      isCompliant[response] {
        response := {
          "result" : true,
          "error" : "",
          "warning" : "This repo has been deprecated: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/"
        }
      }
---
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
  name: allowed-registry
  annotations:
    title: Allow all
    description: Allow all
spec:
  mode: enforce # For warnings, use 'mode: warn'
  images:
  - glob: "*/**"
  authorities:
  - name: k8s-allowed
    static:
      action: pass
  policy:
    type: rego
    data: |
      package sigstore
      isCompliant[response] {
        response := {
          "result" : true,
          "error" : "",
          "warning" : ""
        }
      }

The outcome is:

k apply -f test/2-test-pod.yaml
Warning: failed policy: deprecated-k8s-grc-io-registry: spec.containers[1].image
Warning: k8s.gcr.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097 warning: This repo has been deprecated: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/
pod/test-pod created

k get po
NAME       READY   STATUS    RESTARTS   AGE
test-pod   2/2     Running   0          7m37s

[hectorj2f]

@jimmyraywv Yes, that is another option. Otherwise you just need to patch the policy-controller configMap to allow images that do not match any policy, as mentioned above. So you don't need to create an additional policy to allow all the rest of images.

[jicowan]

@hectorj2f Yes, please remove the sample policy from the helm chart or comment it out with a '#' mark. It's confusing.

[jimmyraywv]

@hectorj2f that is already there.

apiVersion: v1
data:
  _example: |
    ################################
    #                              #
    #    EXAMPLE CONFIGURATION     #
    #                              #
    ################################
    no-match-policy: warn
kind: ConfigMap
metadata:
  annotations:
    meta.helm.sh/release-name: policy-controller
    meta.helm.sh/release-namespace: cosign-system
  labels:
    app.kubernetes.io/managed-by: Helm
  name: config-policy-controller
  namespace: cosign-system

[hectorj2f]

@jimmyraywv No, it is the same mistake we faced with @jicowan :). The _example block is just a placeholder isn't taken into account. We'll fix it today because it is confusing.

[hectorj2f]

Just use my patch command and will work.

kubectl patch cm config-policy-controller -n cosign-system --type merge -p '{"data":{"no-match-policy":"warn"}}'

[jimmyraywv]

Ok, I have it working, as I think it is supposed to, without the secondary allow-all policy.

k apply -f test/2-test-pod.yaml
Warning: failed policy: deprecated-k8s-grc-io-registry: spec.containers[1].image
Warning: k8s.gcr.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097 warning: This repo has been deprecated: https://kubernetes.io/blog/2023/02/06/k8s-gcr-io-freeze-announcement/
Warning: no matching policies: spec.containers[0].image
Warning: registry.k8s.io/pause@sha256:7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097
pod/test-pod created

Yes, I think there needs to be a correction in your docs as this is very confusing. What's the default settings? Given my experience with other PaC engines, I would expect that namespaces are automatically included and must opt-out to be ignored. Secondly, I would expect that the no matching image-policy warning setting of no-match-policy: warn in the configmap was also a default setting.

If not, then at a minimum, the PR should address both of these to get policy-controller to a default level, similar to other PaC solutions, for this use case.

[hectorj2f]

@jimmyraywv Awesome 🎉 ! Thanks for your feedback 👏🏻.

I'll highlight these default settings in our documentation, some of these details are already present but might not be easy to find (e.g. https://docs.sigstore.dev/policy-controller/overview#admission-of-images, https://docs.sigstore.dev/policy-controller/overview#enable-policy-controller-admission-controller-for-namespaces).

Generally we decided to request users to set a label to enforce signed images to avoid any potential downtimes that could be caused by enforcing all the namespaces. Nowadays it is still very rare to see signed images on Kubernetes clusters, therefore if we apply this enforcement on all namespaces (by default), that might block users or the system itself to deploy any existing (rescheduled) or new pods.

I'll add the required steps to achieve the requested behavior from the policy-controller here. Would it be okay to add a new README or you prefer I include the steps in the main one ?

[jicowan]

Thanks for contributing to the best practices!

[hectorj2f]

Thanks @jicowan and @jimmyraywv for your reviews ❤️ !