Everyone can contribute! Learn DevOps and Cloud Native in our cafe ☕
Technology is moving fast in the DevOps and Cloud Native community.
Join the conversation and add your thoughts, tips, experiences, stories.
"Everyone Can Contribute" is inspired by GitLab's mission.
51. #EveryoneCanContribute Cafe: First look: Chainguard Enforce with Carlos Panato
Carlos Panato started with a short introduction into Software Supply Chain Security and which problem Chainguard aims to solve. The demo follows a great story line on deploying a container image with GitLab CI/CD, verify the image manually, showing Chainguard on the CLI to pull image policies, create custom policies, observe and enforce, sign using cosign inside CI/CD. The following discussion touched topic such as SBOM, key signing, and also cluster runtime security with eBPF. Last but not least, we talked about Kubernetes 1.24 adopting Sigstore and making cloud-native projects more secure.
Join Carlos next week at KubeCon EU with the SIG Release Update with “Releasing Kubernetes Less Often and More Secure”!
Insights
We’ve learned about:
- Chainguard Enforce
- Software Supply Chain Security
- Enforce with policies, CLI and Kubernetes cluster agent integration
- Demo
- Webserver in Go, container image build. deployed to GCP in GKE
- Image not yet signed - cosign verify fails
- chainctl CLI SaaS login - automatically downloads the default Chainguard image policy as
ClusterImagePolicyCRD - Create a new ClusterImagePolicy for the GitLab runner service
- Install the Chainguard agent - light-weight, different namespace, request limits: 1 CPU, 1GB maximum to consume less cluster resources.
- Agent collects metrics and observes the cluster image policies
chainctl clusters ls - Policy enforce via validation webhooks to block things.
- Modifying the GitLab CI/CD to sign the image (using the GitLab Dependency Proxy to avoid Docker Hub Rate Limit).
- Deploy and verify the signed image
- Move from observing to enforcing the policies, verify the signatures and identities
- Enforce analyses the Software Bill of Materials (SBOM - CycloneDX, SPDX as format)
- Roadmap
- Base images OOTB and more features to come
- Make sure to join Chainguard at KubeCon EU and follow Chainguard on Twitter for more updates :-)
- Resources
- GitLab feature proposal to add more fields for cosign in the
CI_JOB_JWT_V2token. - Sigstore is written in Go, Python and Java libraries are in the making.
- Kubernetes signals massive adoption of Sigstore for protecting open source ecosystem
- eBPF for Kubernetes runtime security, used by Falco and Cilium.
- Request a demo here
- GitLab feature proposal to add more fields for cosign in the
News
The next meetup happens on June 14, 2022.
We will meet on the second Tuesday at 9am PT.