Giter VIP home page Giter VIP logo

ekmixon / integrity-shield Goto Github PK

View Code? Open in Web Editor NEW

This project forked from ibm/integrity-shield

0.0 0.0 0.0 8.31 MB

Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It includes signature based configuration drift prevention based on Admission Webhook on Kubernetes cluster.

License: Apache License 2.0

Dockerfile 1.95% Makefile 6.69% Go 84.28% Shell 7.09%

integrity-shield's Introduction

integrity-shield

Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It provides signature-based assurance of integrity for Kubernetes resources at cluster side.

Integrity Shield works with OPA/Gatekeeper, verifies if the requests attached a signature, and blocks any unauthorized requests according to the constraint before actually persisting in etcd. Also, you can use the admission controller instead of OPA/Gatekeeper.

Scenario

integrity shield server

Integrity shield server includes the main logic to verify admission requests. Integrity shield server receives a k8s resource from OPA/Gatekeeper, validates the resource which is included in the admission request based on the profile and sends the verification result to OPA/Gatekeeper. Integrity shield server uses k8s-manifest-sigstore internally to verify k8s manifest.

You can enable the protection by integrity shield with a few simple steps. Please see Usage.

gatekeeper constraint

Integrity shield works with OPA/Gatekeeper by installing ConstraintTemplate(template-manifestintegrityconstraint.yaml ). We use constraint framework of OPA/Gatekeeper to define the resources to be protected.

For example, the following snippet shows an example definition of protected resources in a namespace.

apiVersion: constraints.gatekeeper.sh/v1beta1
kind: ManifestIntegrityConstraint
metadata:
  name: deployment-constraint
spec:
  match:
    kinds:
    - kinds: ["Deployment"]
      apiGroups: ["apps"]
    namespaces:
    - "sample-ns"
  parameters:
    inScopeObjects:
    - name: sample-app
    signers:
    - [email protected]
    ignoreFields:
    - objects:
      - kind: Deployment
      fields:
      - spec.replicas

ManifestIntegrityConstraint resource includes the parameters field. In the parameters field, you can configure the profile for verifying resources such as ignoreFields for allowing some requests that match this rule, signers, and so on.

admission controller

This is an admission controller for verifying k8s manifest with sigstore signing. You can use this admission controller instead of OPA/Gatekeeper. In this case, you can decide which resources to be protected in the custom resource called ManifestIntegrityProfile instead of OPA/Gatekeeper constraint.

The following snippet is an example of ManifestIntegrityProfile.

apiVersion: apis.integrityshield.io/v1alpha1
kind: ManifestIntegrityProfile
metadata:
  name: profile-configmap
spec:
  match:
    kinds:
    - kinds:
      - ConfigMap
    namespaces:
    - sample-ns
  parameters:
    ignoreFields:
    - fields:
      - data.comment
      objects:
      - kind: ConfigMap
    signers:
    - [email protected]

You can set up the admission controller with a few simple steps. Please see admission controller.

integrity-shield's People

Contributors

imgbot[bot] avatar rurikudo avatar stevemar avatar yuji-watanabe-jp avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.