Awesome
in-toto-kubectl
This is a kubectl plugin to run in-toto verification on the images in your kubernetes pods.
Install
run make deploy
and the plugin should be installed to ~/.kube/plugins
. You
can change the target by changing the KUBEPATH environment variable. For
example make deploy KUBEPATH=~/bin
will install it to a user-controlled
bin/
folder.
Usage
Make sure the plugin executable was installed to somewhere in your $PATH
, or
to add ~/.kube/plugins
to your path. Afterwards, you can use it within
kubectl:
kubectl in-toto pod/[podname]
In order to scan a pod, you'd have to have the link metadata and the layout in
your current folder. After passing the pod/podname argument, you can also use
-k
and -l
in the same way as in-toto-verify
to pass key and layout
parameters.
Extensions
The kubectl plugin uses parameter substitution to provide you with a
{IMAGE_ID}
parameter that you can substitute inside of your layouts.
In addition, a file (if it doesn't exist) called image_id
will be populated
on the directory when verification starts. This can be used to e.g., verify
against the output of docker build
. This second extension will disappear in
future releases, and once resource type identifiers are provided by the in-toto
framework.
Example
An example repository exists under the example
directory. It contains all the
tools you need to create a layout (using the python implementation), create
signed metadata files (you will need docker to build the container). If you're
using minikube to run the example, I also suggest you expose the Docker socket
before executing the functionary step so as to create the image inside the
container.
Credit
This was very heavily based off of stefanprodan's kubectl-kubesec plugin