Configure GitHub Artifact Attestations for secure cloud-native delivery
[ad_1]
If we are to truly embrace cloud native, we need to ensure that we can trust what we deploy at every step of our supply chain. We need to be sure that what we think We implement, that is who we are Strictly speaking Provide.
We recently GitHub Artifact Attestations generally availablethat allows you to create provenance and integrity guarantees to verify that what you have created in GitHub Actions can be traced back to the source code. This gives your software developers and end users the confidence that your supply chain is secure. With the increasing regulatory and compliance requirements of many organizations, this process meets SLSA v1.0 Build Level 2 Requirements and enables your teams to make informed decisions about your builds.
This new feature allows you to create attestations for any artifact type, be it an executable, a package (e.g. npm, NuGet, Maven), a container registry (Docker, GitHub Packages, Azure Container Registry), or even a ZIP file.
In this blog post, we’ll walk you through the steps to configure your GitHub Actions workflow for Artifact Attestations so you can learn how to attest your packages and verify your builds within your CI/CD workflows in a truly cloud-native way. In the specific use case below, we’ll verify our builds using the Kubernetes admission controller.
Configuring the GitHub action in your workflow
To confirm the origin of an artifact generated within a workflow, simply add the attest-build-provenance action after you have created your artifact in your workflow. The action and documentation on how to use it can be found Here.
Let’s walk through an existing workflow that creates and outputs an artifact. First, make sure you can edit the workflow, then install the GitHub Command Line Interface so that we can verify the certificates we have issued.
Now let’s configure the build provenance action and verify it!
- Open your existing workflow (or create a new one, just remember to create your artifact). Add the action after the artifact is created and specify the path to the artifact you want to generate the attestation for.
name: build-attest on: workflow_dispatch: jobs: build: permissions: id-token: write contents: read attestations: write steps: - name: Checkout uses: actions/checkout@v4 - name: Build artifact run: make our-app - name: Artifact Attestation uses: actions/attest-build-provenance@v1 with: subject-path: '${{ github.workspace }}/our-app' - To continue Adjust your inputsCheck out the documentation to see additional inputs and outputs that are easily configurable.
For example, you can store the attestation in an OCI image registry or specify the GitHub token as shown below:
- uses: actions/attest-build-provenance@v1 with: # Path to the artifact serving as the subject of the attestation. Must # specify exactly one of "subject-path" or "subject-digest". May contain a # glob pattern or list of paths (total subject count cannot exceed 2500). subject-path: # SHA256 digest of the subject for the attestation. Must be in the form # "sha256:hex_digest" (e.g. "sha256:abc123..."). Must specify exactly one # of "subject-path" or "subject-digest". subject-digest: # Subject name as it should appear in the attestation. Required unless # "subject-path" is specified, in which case it will be inferred from the # path. subject-name: # Whether to push the attestation to the image registry. Requires that the # "subject-name" parameter specify the fully-qualified image name and that # the "subject-digest" parameter be specified. Defaults to false. push-to-registry: # The GitHub token used to make authenticated API requests. Default is # ${{ github.token }} github-token: - Trigger your workflow. In this example, we’ll use a manual trigger. Once the workflow runs successfully, you can view the attestations in the left panel under the Actions tab. Select Attestations.
-
Once you click on your certificates, you will be able to view the certificate along with useful information about the build. You can also download the certificate to your computer.
-
After the workflow has been run and the certificate has been created, you want to verify it. To do this, open a terminal and run the following command:
gh attestation verify PATH/TO/ARTIFACT -o myorganizationNote: The above step provides the exact path to the artifact created. You can simply copy/paste it into the CLI or even automate the verification using the verification output.
-
That’s all! Adding the action is really easy to configure and verifying your package is really simple.
From the above steps, you can see that adding the build provenance action along with verifying the output/assertion is very easy to configure and verify. Now let’s see how we can also assert and what container images we use for our cloud native deployments.
Validating our Kubernetes clusters and images
The ability to validate packages and images in our container registries puts security and traceability at the forefront of our cloud-native supply chain.
Remember, we want to make sure that what we built is actually what was deployed. Whether you’re a DevOps engineer, platform/infrastructure engineer, or security specialist, there are always questions about our deployments: Are our images and clusters free of security vulnerabilities? Did we follow the approved process to ensure our images and clusters are production-ready? Or even: Where is the source of this image and have we done our due diligence to ensure quality?
For this purpose, GitHub offers a Kubernetes admission controller which can validate incoming submissions and reject images without verifiable certificates. Our admission controller consists of two helmet charts: The first installs the Sigstore policy controller which performs the verification step and the second loads the trust root from GitHub and a default policy.
Now let’s look at how we can ensure that our Kubernetes clusters are actually running what we created.
- Before installing the controller, you can verify that it actually came from GitHub by running the following command:
gh attestation verify --owner github oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller:v0.10.0-github5Our output looks like this, confirming that it was created from the expected repository:
-
Once this is verified, we can install the Sigstore policy controller by running the following command:
helm install policy-controller --atomic --create-namespace --namespace artifact-attestations oci://ghcr.io/github/artifact-attestations-helm-charts/policy-controller --version v0.10.0-github5 - Then we install GitHub TrustRoot and a default cluster image policy:
helm install trust-policies --atomic --namespace artifact-attestations oci://ghcr.io/github/artifact-attestations-helm-charts/trust-policies --version v0.5.0 --set policy.enabled=true --set policy.organization=MY-ORGANIZATIONNote: Make sure that the Politics.Organization a particular organization. There are a number of Customizable values for cluster image policies.
-
Once the above policy is installed, it will only be enforced if the namespace is specified. Add the following annotation to enable enforcement on a namespace (each namespace in your cluster can be enforced independently).
metadata: annotations: policy.sigstore.dev/include: trueAlternatively, you can run the following kubectl command:
kubectl label namespace MYNAMESPACE policy.sigstore.dev/include=true - We can take a closer look at the contents of the Helm chart and then apply it to the cluster. The attestation data we are checking for inclusion in our cluster is in JSON format:
-
We have now confirmed that the cluster image policy contains exactly what is expected! Only the images signed by our organization are shown. We have built, confirmed and attested our container images and Helm charts!
Good luck getting started with artifact attestation with your cloud-native deployments!
Watch the tutorial on YouTube
Written by
[ad_2]
Source link