https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/tags/policy-controller/Recent content in Policy-Controller onHugo -- gohugo.ioenCopyright (c) 2023 ChainguardWed, 12 Apr 2023 15:22:20 +0100https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/how-to-install-policy-controller/Tue, 21 Feb 2023 13:11:29 +0829https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/how-to-install-policy-controller/<p>The <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> is a Kubernetes <a href="https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/">admission controller</a> that can verify image signatures and policies. You can define policies using the <a href="https://cuelang.org/">CUE</a> or <a href="https://www.openpolicyagent.org/docs/latest/policy-language/">Rego</a> policy languages.</p> <p>This guide will demonstrate how to install the Policy Controller in your Kubernetes cluster and enable policy enforcement.</p> <h2 id="prerequisites" class="heading-2" data-heading-level="2"> <span class="heading-text">Prerequisites</span> <a href="#prerequisites" class="anchor" aria-label="Link to Prerequisites" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>To follow along with this guide, you will need the following:</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-non-default-capabilities-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-non-default-capabilities-with-policy-controller/<p>This guide demonstrates how to use the <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> to prevent running containers with extra capabilities. You will create a <code>ClusterImagePolicy</code> that uses the <a href="https://cuelang.org/">CUE</a> language to examine a pod spec, and only allow admission into a cluster if the pod is running with one or many <a href="https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container">Linux capabilities</a> from defined set of safe capabilities flags.</p> <h2 id="prerequisites" class="heading-2" data-heading-level="2"> <span class="heading-text">Prerequisites</span> <a href="#prerequisites" class="anchor" aria-label="Link to Prerequisites" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>To follow along with this guide, you will need the following:</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-privileged-containers-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-privileged-containers-with-policy-controller/<p>This guide demonstrates how to use the <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> to prevent running containers with elevated privileges. You will create a <code>ClusterImagePolicy</code> that uses the <a href="https://cuelang.org/">CUE</a> language to examine a pod spec, and only allow admission into a cluster if the pod is running without the <code>privileged: true</code> setting.</p> <h2 id="prerequisites" class="heading-2" data-heading-level="2"> <span class="heading-text">Prerequisites</span> <a href="#prerequisites" class="anchor" aria-label="Link to Prerequisites" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>To follow along with this guide, you will need the following:</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-run-as-root-user-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-run-as-root-user-with-policy-controller/<p>This guide demonstrates how to use the <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> to prevent running containers as the <code>root</code> user in a Kubernetes cluster. You will create a <code>ClusterImagePolicy</code> that uses the <a href="https://cuelang.org/">CUE</a> language to examine a pod spec, and only allow admission into a cluster if the pod is running as a non-root user.</p> <h2 id="prerequisites" class="heading-2" data-heading-level="2"> <span class="heading-text">Prerequisites</span> <a href="#prerequisites" class="anchor" aria-label="Link to Prerequisites" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>To follow along with this guide, you will need the following:</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/maximum-image-age-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/maximum-image-age-policy-controller/<p>This guide demonstrates how to use the <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a <code>ClusterImagePolicy</code> that checks the maximum age of a container image verifying that isn’t older than 30 days. For that, we’ll attempt to create two distroless images one older than 30 days and a fresh one.</p> <h2 id="prerequisites" class="heading-2" data-heading-level="2"> <span class="heading-text">Prerequisites</span> <a href="#prerequisites" class="anchor" aria-label="Link to Prerequisites" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>To follow along with this guide, you will need the following:</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-unsafe-sysctls-with-policy-controller/Wed, 01 Mar 2023 13:11:29 +0829https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-unsafe-sysctls-with-policy-controller/<p>This guide demonstrates how to use the <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> to only allow pods that use <code>sysctls</code> to modify kernel behaviour to run with the <a href="https://kubernetes.io/docs/tasks/administer-cluster/sysctl-cluster/#safe-and-unsafe-sysctls">safe set</a> of parameters. You will create a <code>ClusterImagePolicy</code> that uses the <a href="https://cuelang.org/">CUE</a> language to examine a pod spec that uses sysctls, and only allow admission into a cluster if the pod is running a safe set parameters.</p> <h2 id="prerequisites" class="heading-2" data-heading-level="2"> <span class="heading-text">Prerequisites</span> <a href="#prerequisites" class="anchor" aria-label="Link to Prerequisites" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>To follow along with this guide, you will need the following:</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/using-policy-controller-to-verify-signed-chainguard-images/Wed, 22 Feb 2023 13:11:29 +0829https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/using-policy-controller-to-verify-signed-chainguard-images/<p>This guide demonstrates how to use the <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a <code>ClusterImagePolicy</code> that checks for a keyless Cosign image signature, and then test the admission controller by running a signed <code>nginx</code> image.</p> <h2 id="prerequisites" class="heading-2" data-heading-level="2"> <span class="heading-text">Prerequisites</span> <a href="#prerequisites" class="anchor" aria-label="Link to Prerequisites" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><p>To follow along with this guide, you will need the following:</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/critical-cve-policy/Wed, 12 Apr 2023 15:22:20 +0100https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/critical-cve-policy/<p>While Common Vulnerabilities and Exposures (CVEs) are undesirable at any time, the software security standards of certain industries strictly regulate the allowance of <em>high</em> or <em>critical</em> CVEs. For example, in the payment industry, the <a href="https://www.pcisecuritystandards.org/">PCI Security Standards Council</a> requires that all vulnerabilities with a Common Vulnerability Scoring System (CVSS) score higher than 4 are addressed.</p> <p>For engineers and security professionals working in these contexts, it’s essential to know if container images have high or critical CVEs before deploying them. But tracking these CVEs manually can be difficult, especially when regularly pulling or updating large numbers of images for your workloads.</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/Thu, 12 Jan 2023 15:56:52 -0700https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/<p>The <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> supports the <a href="https://www.openpolicyagent.org/docs/latest/policy-language/">Rego Policy Language</a>, which is a declarative policy language that is used to evaluate structured input data such as Kubernetes manifests and JSON documents. This feature enables users to apply policies that can evaluate Kubernetes admission requests and object metadata to make comprehensive decisions about the workloads that are admitted to their clusters. Rego support also enables users to enhance existing cloud-native policies by adding additional software supply chain security checks.</p>https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-policy-examples/Fri, 15 Jul 2022 15:22:20 +0100https://deploy-preview-3422--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-policy-examples/<p>The <a href="https://docs.sigstore.dev/policy-controller/overview/">Sigstore Policy Controller</a> allows users to create their own security policies that they can be enforced on Kubernetes clusters. Here are a few example policies to help you get started.</p> <p>You may also review the <a href="https://docs.sigstore.dev/policy-controller/overview">Sigstore Policy Controller documentation</a>. In particular, we encourage you to review the Policy Controller documentation relating to the <a href="https://docs.sigstore.dev/policy-controller/overview/#admission-of-images">Admission of images</a> to learn how to admit images through the cluster image policy.</p> <h2 id="policy-enforcing-signed-containers" class="heading-2" data-heading-level="2"> <span class="heading-text">Policy enforcing signed containers</span> <a href="#policy-enforcing-signed-containers" class="anchor" aria-label="Link to Policy enforcing signed containers" title="Link to this section"> <svg width="16" height="9" viewBox="0 0 16 9" fill="none" xmlns="http://www.w3.org/2000/svg" aria-hidden="true"> <path d="M6.833 8.125H4C3 8.125 2.146 7.77067 1.438 7.062C0.729333 6.354 0.375 5.5 0.375 4.5C0.375 3.5 0.729333 2.646 1.438 1.938C2.146 1.22933 3 0.875 4 0.875H6.833V1.958H4C3.30533 1.958 2.708 2.208 2.208 2.708C1.708 3.208 1.458 3.80533 1.458 4.5C1.458 5.19467 1.708 5.792 2.208 6.292C2.708 6.792 3.30533 7.042 4 7.042H6.833V8.125ZM5.208 5.042V3.958H10.792V5.042H5.208ZM9.167 8.125V7.042H12C12.6947 7.042 13.292 6.792 13.792 6.292C14.292 5.792 14.542 5.19467 14.542 4.5C14.542 3.80533 14.292 3.208 13.792 2.708C13.292 2.208 12.6947 1.958 12 1.958H9.167V0.875H12C13 0.875 13.854 1.22933 14.562 1.938C15.2707 2.646 15.625 3.5 15.625 4.5C15.625 5.5 15.2707 6.354 14.562 7.062C13.854 7.77067 13 8.125 12 8.125H9.167Z" fill="currentColor"/> </svg> </a> </h2><pre class="highlight" data-language=""><code class="language-" data-lang="">apiVersion: policy.sigstore.dev/v1beta1 kind: ClusterImagePolicy metadata: name: signed-keyless spec: images: # All images - glob: &#34;**&#34; authorities: - keyless: url: https://fulcio.sigstore.dev ctlog: url: https://rekor.sigstore.dev</code></pre><p>Example using Chainguard Containers from Chainguard&rsquo;s registry:</p>