From 56fef57580b71d98f97430bc4b6c2fa217b63b40 Mon Sep 17 00:00:00 2001 From: Qifan Pu Date: Mon, 10 Oct 2022 14:32:56 -0400 Subject: [PATCH] Update signer tutorials. --- docs/signer.md | 61 +++++++++++-------- .../{Dockerfile.good => Dockerfile} | 0 samples/policy-check/Dockerfile.bad | 5 -- samples/policy-check/cloudbuild-bad.yaml | 8 +-- samples/policy-check/cloudbuild-good.yaml | 6 +- samples/policy-check/policy-loose.yaml | 10 +++ samples/policy-check/policy-strict.yaml | 10 +++ samples/policy-check/policy.yaml | 16 ----- .../signer/{Dockerfile.good => Dockerfile} | 0 samples/signer/Dockerfile.bad | 5 -- samples/signer/cloudbuild-bad.yaml | 8 +-- samples/signer/cloudbuild-good.yaml | 6 +- samples/signer/policy-loose.yaml | 10 +++ samples/signer/policy-strict.yaml | 10 +++ samples/signer/policy.yaml | 16 ----- 15 files changed, 90 insertions(+), 81 deletions(-) rename samples/policy-check/{Dockerfile.good => Dockerfile} (100%) delete mode 100644 samples/policy-check/Dockerfile.bad create mode 100644 samples/policy-check/policy-loose.yaml create mode 100644 samples/policy-check/policy-strict.yaml delete mode 100644 samples/policy-check/policy.yaml rename samples/signer/{Dockerfile.good => Dockerfile} (100%) delete mode 100644 samples/signer/Dockerfile.bad create mode 100644 samples/signer/policy-loose.yaml create mode 100644 samples/signer/policy-strict.yaml delete mode 100644 samples/signer/policy.yaml diff --git a/docs/signer.md b/docs/signer.md index c5ea35510..afd271114 100644 --- a/docs/signer.md +++ b/docs/signer.md @@ -218,10 +218,10 @@ First we need to pick a GCP project and enable those services within the project 6. Create vulnerability signing policy. - An example policy is in the samples. + We have two example policies, `policy-strict.yaml` and `policy-loose.yaml`. They differ in that `policy-loose.yaml` has higher severity thresholds. ```shell - cat samples/signer/policy.yaml + cat samples/signer/policy-strict.yaml apiVersion: kritis.grafeas.io/v1beta1 kind: VulnzSigningPolicy @@ -233,33 +233,44 @@ First we need to pick a GCP project and enable those services within the project maximumUnfixableSeverity: MEDIUM allowlistCVEs: - projects/goog-vulnz/notes/CVE-2020-10543 - - projects/goog-vulnz/notes/CVE-2020-10878 - - projects/goog-vulnz/notes/CVE-2020-14155 + + cat samples/signer/policy-loose.yaml + + apiVersion: kritis.grafeas.io/v1beta1 + kind: VulnzSigningPolicy + metadata: + name: my-vsp + spec: + imageVulnerabilityRequirements: + maximumFixableSeverity: CRITICAL + maximumUnfixableSeverity: CRITICAL + allowlistCVEs: + - projects/goog-vulnz/notes/CVE-2020-10543 ``` 7. Run signer on a built image (pass example). - 1. Build and push an example good image. + 1. Build and push an example image. ```shell - docker build -t gcr.io/$PROJECT_ID/signer-test:good -f samples/signer/Dockerfile.good . - docker push gcr.io/$PROJECT_ID/signer-test:good + docker build -t gcr.io/$PROJECT_ID/signer-test:example -f samples/signer/Dockerfile . + docker push gcr.io/$PROJECT_ID/signer-test:example ``` 2. Note down the image digest url. ```shell - export GOOD_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:good --format '{{index .RepoDigests 0}}') + export EXAMPLE_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:example --format '{{index .RepoDigests 0}}') ``` - 3. Run the signer. + 3. Run the signer with a loose policy. ```shell ./signer \ -v=10 \ -alsologtostderr \ - -image=$GOOD_IMG_URL \ - -policy=samples/signer/policy.yaml \ + -image=$EXAMPLE_IMG_URL \ + -policy=samples/signer/policy-loose.yaml \ -kms_key_name=$KMS_KEY_NAME \ -kms_digest_alg=$KMS_DIGEST_ALG \ -note_name=$NOTE_NAME @@ -276,8 +287,8 @@ First we need to pick a GCP project and enable those services within the project -mode=check-only \ -v=10 \ -alsologtostderr \ - -image=$GOOD_IMG_URL \ - -policy=samples/signer/policy.yaml \ + -image=$EXAMPLE_IMG_URL \ + -policy=samples/signer/policy-loose.yaml \ ``` ```shell @@ -285,7 +296,7 @@ First we need to pick a GCP project and enable those services within the project -mode=bypass-and-sign \ -v=10 \ -alsologtostderr \ - -image=$GOOD_IMG_URL \ + -image=$EXAMPLE_IMG_URL \ -kms_key_name=$KMS_KEY_NAME \ -kms_digest_alg=$KMS_DIGEST_ALG \ -note_name=$NOTE_NAME @@ -293,27 +304,27 @@ First we need to pick a GCP project and enable those services within the project 8. Run signer on a built image (fail example). - 1. Build and push an example good image. + 1. Build and push an example image (skippable if image from Step.7 is not deleted). ```shell - docker build -t gcr.io/$PROJECT_ID/signer-test:bad -f samples/signer/Dockerfile.bad . - docker push gcr.io/$PROJECT_ID/signer-test:bad + docker build -t gcr.io/$PROJECT_ID/signer-test:example -f samples/signer/Dockerfile . + docker push gcr.io/$PROJECT_ID/signer-test:example ``` 2. Note down the image digest url. ```shell - export BAD_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:bad --format '{{index .RepoDigests 0}}') + export EXAMPLE_IMG_URL=$(docker image inspect gcr.io/$PROJECT_ID/signer-test:example --format '{{index .RepoDigests 0}}') ``` - 3. Run the signer. + 3. Run the signer with a strict policy. ```shell ./signer \ -v=10 \ -alsologtostderr \ - -image=$BAD_IMG_URL \ - -policy=samples/signer/policy.yaml \ + -image=$EXAMPLE_IMG_URL \ + -policy=samples/signer/policy-strict.yaml \ -kms_key_name=$KMS_KEY_NAME \ -kms_digest_alg=$KMS_DIGEST_ALG \ -note_name=$NOTE_NAME @@ -330,8 +341,8 @@ First we need to pick a GCP project and enable those services within the project -mode=check-only \ -v=10 \ -alsologtostderr \ - -image=$BAD_IMG_URL \ - -policy=samples/signer/policy.yaml \ + -image=$EXAMPLE_IMG_URL \ + -policy=samples/signer/policy-strict.yaml \ ``` ```shell @@ -339,11 +350,11 @@ First we need to pick a GCP project and enable those services within the project -mode=bypass-and-sign \ -v=10 \ -alsologtostderr \ - -image=$BAD_IMG_URL \ + -image=$EXAMPLE_IMG_URL \ -kms_key_name=$KMS_KEY_NAME \ -kms_digest_alg=$KMS_DIGEST_ALG \ -note_name=$NOTE_NAME ``` - With `bypass-and-sign` mode, an attestation will also be created for the bad image. + With `bypass-and-sign` mode, an attestation will still be created for the image. diff --git a/samples/policy-check/Dockerfile.good b/samples/policy-check/Dockerfile similarity index 100% rename from samples/policy-check/Dockerfile.good rename to samples/policy-check/Dockerfile diff --git a/samples/policy-check/Dockerfile.bad b/samples/policy-check/Dockerfile.bad deleted file mode 100644 index 594ed63f8..000000000 --- a/samples/policy-check/Dockerfile.bad +++ /dev/null @@ -1,5 +0,0 @@ -# Debian9 image from Jun 8th, 2020 -FROM gcr.io/google-appengine/debian9@sha256:023748401f33e710de6297c7e7dd1617f3c3654819885c5208e9df4d0697848e - -# Just so the built image is always unique -RUN apt-get update && apt-get -y install uuid-runtime && uuidgen > /IAMUNIQUE diff --git a/samples/policy-check/cloudbuild-bad.yaml b/samples/policy-check/cloudbuild-bad.yaml index dfb079b8c..fbc3f85ba 100644 --- a/samples/policy-check/cloudbuild-bad.yaml +++ b/samples/policy-check/cloudbuild-bad.yaml @@ -1,13 +1,13 @@ # Cloudbuild pipeline for a build with an image -# that passes the vuln policy +# that does not pass the vuln policy steps: - # Build a 'bad' image + # Build a test image - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash args: - -c - | - docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.bad . + docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile . id: build - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash @@ -27,7 +27,7 @@ steps: -v=10 \ -alsologtostderr \ -image=$(/bin/cat image-digest.txt) \ - -policy=policy.yaml \ + -policy=policy-strict.yaml \ -mode=check-only waitFor: push id: vulnsign diff --git a/samples/policy-check/cloudbuild-good.yaml b/samples/policy-check/cloudbuild-good.yaml index 7eecfa373..13a0b6098 100644 --- a/samples/policy-check/cloudbuild-good.yaml +++ b/samples/policy-check/cloudbuild-good.yaml @@ -1,13 +1,13 @@ # Cloudbuild pipeline for a build with an image # that passes the vuln policy steps: - # Build a 'good' image + # Build a test image - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash args: - -c - | - docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.good . + docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile . id: build - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash @@ -27,7 +27,7 @@ steps: -v=10 \ -alsologtostderr \ -image=$(/bin/cat image-digest.txt) \ - -policy=policy.yaml \ + -policy=policy-loose.yaml \ -mode=check-only waitFor: push id: vulnsign diff --git a/samples/policy-check/policy-loose.yaml b/samples/policy-check/policy-loose.yaml new file mode 100644 index 000000000..b3d516cf1 --- /dev/null +++ b/samples/policy-check/policy-loose.yaml @@ -0,0 +1,10 @@ +apiVersion: kritis.grafeas.io/v1beta1 +kind: VulnzSigningPolicy +metadata: + name: my-vsp +spec: + imageVulnerabilityRequirements: + maximumFixableSeverity: CRITICAL + maximumUnfixableSeverity: CRITICAL + allowlistCVEs: + - projects/goog-vulnz/notes/CVE-2021-20305 diff --git a/samples/policy-check/policy-strict.yaml b/samples/policy-check/policy-strict.yaml new file mode 100644 index 000000000..244fc0e25 --- /dev/null +++ b/samples/policy-check/policy-strict.yaml @@ -0,0 +1,10 @@ +apiVersion: kritis.grafeas.io/v1beta1 +kind: VulnzSigningPolicy +metadata: + name: my-vsp +spec: + imageVulnerabilityRequirements: + maximumFixableSeverity: MEDIUM + maximumUnfixableSeverity: MEDIUM + allowlistCVEs: + - projects/goog-vulnz/notes/CVE-2021-20305 diff --git a/samples/policy-check/policy.yaml b/samples/policy-check/policy.yaml deleted file mode 100644 index 9e50973c5..000000000 --- a/samples/policy-check/policy.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: kritis.grafeas.io/v1beta1 -kind: VulnzSigningPolicy -metadata: - name: my-vsp -spec: - imageVulnerabilityRequirements: - maximumFixableSeverity: MEDIUM - maximumUnfixableSeverity: MEDIUM - allowlistCVEs: - - projects/goog-vulnz/notes/CVE-2021-20305 - - projects/goog-vulnz/notes/CVE-2020-10543 - - projects/goog-vulnz/notes/CVE-2020-10878 - - projects/goog-vulnz/notes/CVE-2020-14155 - - projects/goog-vulnz/notes/CVE-2019-25013 - - projects/goog-vulnz/notes/CVE-2021-33574 - - projects/goog-vulnz/notes/CVE-2021-3520 diff --git a/samples/signer/Dockerfile.good b/samples/signer/Dockerfile similarity index 100% rename from samples/signer/Dockerfile.good rename to samples/signer/Dockerfile diff --git a/samples/signer/Dockerfile.bad b/samples/signer/Dockerfile.bad deleted file mode 100644 index 594ed63f8..000000000 --- a/samples/signer/Dockerfile.bad +++ /dev/null @@ -1,5 +0,0 @@ -# Debian9 image from Jun 8th, 2020 -FROM gcr.io/google-appengine/debian9@sha256:023748401f33e710de6297c7e7dd1617f3c3654819885c5208e9df4d0697848e - -# Just so the built image is always unique -RUN apt-get update && apt-get -y install uuid-runtime && uuidgen > /IAMUNIQUE diff --git a/samples/signer/cloudbuild-bad.yaml b/samples/signer/cloudbuild-bad.yaml index 851ef86fb..b0a70f356 100644 --- a/samples/signer/cloudbuild-bad.yaml +++ b/samples/signer/cloudbuild-bad.yaml @@ -1,13 +1,13 @@ # Cloudbuild pipeline for a build with an image -# that passes the vuln policy +# that does not pass the vuln policy steps: - # Build a 'bad' image + # Build a test image - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash args: - -c - | - docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.bad . + docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile . id: build - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash @@ -27,7 +27,7 @@ steps: -v=10 \ -alsologtostderr \ -image=$(/bin/cat image-digest.txt) \ - -policy=policy.yaml \ + -policy=policy-strict.yaml \ -kms_key_name=${_KMS_KEY_NAME} \ -kms_digest_alg=${_KMS_DIGEST_ALG} \ -note_name=${_NOTE_NAME} diff --git a/samples/signer/cloudbuild-good.yaml b/samples/signer/cloudbuild-good.yaml index d4f504fcf..9d082c0d8 100644 --- a/samples/signer/cloudbuild-good.yaml +++ b/samples/signer/cloudbuild-good.yaml @@ -1,13 +1,13 @@ # Cloudbuild pipeline for a build with an image # that passes the vuln policy steps: - # Build a 'good' image + # Build a test image - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash args: - -c - | - docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile.good . + docker build -t gcr.io/$PROJECT_ID/binauthz-test:latest -f ./Dockerfile . id: build - name: gcr.io/cloud-builders/docker entrypoint: /bin/bash @@ -27,7 +27,7 @@ steps: -v=10 \ -alsologtostderr \ -image=$(/bin/cat image-digest.txt) \ - -policy=policy.yaml \ + -policy=policy-loose.yaml \ -kms_key_name=${_KMS_KEY_NAME} \ -kms_digest_alg=${_KMS_DIGEST_ALG} \ -note_name=${_NOTE_NAME} diff --git a/samples/signer/policy-loose.yaml b/samples/signer/policy-loose.yaml new file mode 100644 index 000000000..b3d516cf1 --- /dev/null +++ b/samples/signer/policy-loose.yaml @@ -0,0 +1,10 @@ +apiVersion: kritis.grafeas.io/v1beta1 +kind: VulnzSigningPolicy +metadata: + name: my-vsp +spec: + imageVulnerabilityRequirements: + maximumFixableSeverity: CRITICAL + maximumUnfixableSeverity: CRITICAL + allowlistCVEs: + - projects/goog-vulnz/notes/CVE-2021-20305 diff --git a/samples/signer/policy-strict.yaml b/samples/signer/policy-strict.yaml new file mode 100644 index 000000000..244fc0e25 --- /dev/null +++ b/samples/signer/policy-strict.yaml @@ -0,0 +1,10 @@ +apiVersion: kritis.grafeas.io/v1beta1 +kind: VulnzSigningPolicy +metadata: + name: my-vsp +spec: + imageVulnerabilityRequirements: + maximumFixableSeverity: MEDIUM + maximumUnfixableSeverity: MEDIUM + allowlistCVEs: + - projects/goog-vulnz/notes/CVE-2021-20305 diff --git a/samples/signer/policy.yaml b/samples/signer/policy.yaml deleted file mode 100644 index 9e50973c5..000000000 --- a/samples/signer/policy.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: kritis.grafeas.io/v1beta1 -kind: VulnzSigningPolicy -metadata: - name: my-vsp -spec: - imageVulnerabilityRequirements: - maximumFixableSeverity: MEDIUM - maximumUnfixableSeverity: MEDIUM - allowlistCVEs: - - projects/goog-vulnz/notes/CVE-2021-20305 - - projects/goog-vulnz/notes/CVE-2020-10543 - - projects/goog-vulnz/notes/CVE-2020-10878 - - projects/goog-vulnz/notes/CVE-2020-14155 - - projects/goog-vulnz/notes/CVE-2019-25013 - - projects/goog-vulnz/notes/CVE-2021-33574 - - projects/goog-vulnz/notes/CVE-2021-3520