upgrade to new design (#361)

* Create SECURITY.md * Create SECURITY.md * Replace go package path * Create SECURITY.md * temporary commit for sonar test * temporary commit for sonar test 2 * Revert "temporary commit for sonar test 2" This reverts commit 7680fdb. * Revert "temporary commit for sonar test" This reverts commit ee9df19. * Update README_SETUP_KEY_RING_ACM_ENV.md I am proposing a short section just to clarify that the remove then setup procedure will work as a way to move to a new signing key. * Fixed the docment to update how to update a verification key * Squashed commit of the following: commit 121e937 Author: hirokuni-kitahara <[email protected]> Date: Wed Jan 20 22:29:17 2021 +0900 fix patch functions and add troubleshooting doc (#259) * fix patch functions and add troubleshooting doc * fix scripts and some parts in doc commit 0ef8683 Author: Yuji Watanabe <[email protected]> Date: Wed Jan 20 22:18:16 2021 +0900 change from K8s to k8s (#260) * change from K8s to k8s * fix tested cluster version * Update signing script to remove syntax issue The script had to be edited so it would run. I made these changes. * Squashed commit of the following: commit 02c7d25 Author: Kugamoorthy Gajananan <[email protected]> Date: Thu Jan 21 15:39:59 2021 +0900 Added make target and script to update version in nessary files after building bundle based on new version (#261) commit 6546dc1 Author: hirokuni-kitahara <[email protected]> Date: Thu Jan 21 15:37:29 2021 +0900 fix integrity shield roles/cert config and add event type annotation to IntegrityShieldEvent (#262) * update role & cert duration and fix e2e test issue * add event type annotation and fix e2e test commit 121e937 Author: hirokuni-kitahara <[email protected]> Date: Wed Jan 20 22:29:17 2021 +0900 fix patch functions and add troubleshooting doc (#259) * fix patch functions and add troubleshooting doc * fix scripts and some parts in doc commit 0ef8683 Author: Yuji Watanabe <[email protected]> Date: Wed Jan 20 22:18:16 2021 +0900 change from K8s to k8s (#260) * change from K8s to k8s * fix tested cluster version * Squashed commit of the following: commit a93ca3b Author: hirokuni-kitahara <[email protected]> Date: Thu Jan 21 19:37:51 2021 +0900 fix e2e test delete error & fix op unit test timeout error (#263) commit 02c7d25 Author: Kugamoorthy Gajananan <[email protected]> Date: Thu Jan 21 15:39:59 2021 +0900 Added make target and script to update version in nessary files after building bundle based on new version (#261) commit 6546dc1 Author: hirokuni-kitahara <[email protected]> Date: Thu Jan 21 15:37:29 2021 +0900 fix integrity shield roles/cert config and add event type annotation to IntegrityShieldEvent (#262) * update role & cert duration and fix e2e test issue * add event type annotation and fix e2e test commit 121e937 Author: hirokuni-kitahara <[email protected]> Date: Wed Jan 20 22:29:17 2021 +0900 fix patch functions and add troubleshooting doc (#259) * fix patch functions and add troubleshooting doc * fix scripts and some parts in doc commit 0ef8683 Author: Yuji Watanabe <[email protected]> Date: Wed Jan 20 22:18:16 2021 +0900 change from K8s to k8s (#260) * change from K8s to k8s * fix tested cluster version * resolve conflict * add comment in readme to trigger rebuild for img vulns Signed-off-by: Will Kutler <[email protected]> * removed unnecessary dir/file Signed-off-by: ruriko <[email protected]> * removed unnecessary dir/file Signed-off-by: ruriko <[email protected]> * Preparing to move to new integrity shield (#344) * Initial commit * init commit * add request handler logic * update go.mod * put all func * added request handler and main functions (#2) * add remote request handler * remove unused file * remove tls.crt from secret.yaml * change to use new constraints * remove unused func * remove unused values * remove unused values * rename parameter and package * update request handler * add ishield config * add error handling * fix mutation check * refactor main.go/struct * add allow/inScopeNamespace check * add config * fix to use ENV parameter * fix inScopeNamespace and config name * change the way of loading shield/reqhandler config * support apiGroup match * support label/namespaceSelector match * change config name Signed-off-by: ruriko <[email protected]> * enable opa/gatekeeper admission controller (#4) (#5) * enable to use opa/gatekeeper Signed-off-by: ruriko <[email protected]> * include shield config in rego policy Signed-off-by: ruriko <[email protected]> * update rego policy Signed-off-by: ruriko <[email protected]> * update default setting in rego policy Signed-off-by: ruriko <[email protected]> Co-authored-by: Ruriko Kudo <[email protected]> * reorganized code (#6) * reorganized code Signed-off-by: ruriko <[email protected]> * rename module name * change config name Signed-off-by: ruriko <[email protected]> * update README.md Signed-off-by: ruriko <[email protected]> * change config name in admission controller Signed-off-by: ruriko <[email protected]> * Update Readme (#7) * update README.md Signed-off-by: ruriko <[email protected]> * add an image Signed-off-by: ruriko <[email protected]> * fix README.md Signed-off-by: ruriko <[email protected]> * fix typo Signed-off-by: ruriko <[email protected]> * Update README.md * Update README.md * update README and fix config name Signed-off-by: ruriko <[email protected]> * update README Signed-off-by: ruriko <[email protected]> * update README Signed-off-by: ruriko <[email protected]> Co-authored-by: Yuji Watanabe <[email protected]> * [ImgBot] Optimize images (#8) /docs/ishield-scenario.png -- 146.35kb -> 104.24kb (28.77%) Signed-off-by: ImgBotApp <[email protected]> Co-authored-by: ImgBotApp <[email protected]> * use latest k8s-manifest-sigstore (#9) * update to use latest k8s-manifest-sigstore Signed-off-by: ruriko <[email protected]> * fix parameters Signed-off-by: ruriko <[email protected]> * fix to handle nil request handler config Signed-off-by: ruriko <[email protected]> * enable log/mode settings (#10) * support log config Signed-off-by: ruriko <[email protected]> * support detect mode Signed-off-by: ruriko <[email protected]> * update rego policy to support detect mode Signed-off-by: ruriko <[email protected]> * change to use same log format with k8s-manifest-sigstore * fix log level in deployment Signed-off-by: ruriko <[email protected]> * add K8S_MANIFEST_SIGSTORE_LOG_LEVEL Signed-off-by: ruriko <[email protected]> * fix K8S_MANIFEST_SIGSTORE_LOG_LEVEL Signed-off-by: ruriko <[email protected]> * fix conflict Signed-off-by: ruriko <[email protected]> * enable event/status update (#11) * enable mip status update Signed-off-by: ruriko <[email protected]> * fix mip status update Signed-off-by: ruriko <[email protected]> * enable deny event Signed-off-by: ruriko <[email protected]> * change violations limit Signed-off-by: ruriko <[email protected]> * update rego policy (#12) Signed-off-by: ruriko <[email protected]> * Support operator and observer (#13) * add initial code generated by operator-sdk Signed-off-by: ruriko <[email protected]> * add operator Signed-off-by: ruriko <[email protected]> * add observer Signed-off-by: ruriko <[email protected]> * fix public key loading Signed-off-by: ruriko <[email protected]> * update operator to deploy observer Signed-off-by: ruriko <[email protected]> * add utility scripts * fix observer bug Signed-off-by: ruriko <[email protected]> * add flag for installing observer Signed-off-by: ruriko <[email protected]> * fix observer log and enable to show provenance log Signed-off-by: ruriko <[email protected]> * add operator bundle * update version of k8s-manifest-sigstore * fix log scripts Signed-off-by: ruriko <[email protected]> * fix to delete cluster scope Signed-off-by: ruriko <[email protected]> * fix operator to check constraint template crd is available * update k8s-manifest-sigstore version and update server to generate deny events Signed-off-by: ruriko <[email protected]> * fix event and constraint template Signed-off-by: ruriko <[email protected]> * fix constraint template Signed-off-by: ruriko <[email protected]> * refine server role Signed-off-by: ruriko <[email protected]> * fix error handling Signed-off-by: ruriko <[email protected]> * update k8s-manifest-sigstore version Signed-off-by: ruriko <[email protected]> * enable to verify pgp/x509 signature Signed-off-by: ruriko <[email protected]> * update observer to export results to verifyresourcestatus Signed-off-by: ruriko <[email protected]> * update go.mod Signed-off-by: ruriko <[email protected]> * update go.mod Signed-off-by: ruriko <[email protected]> * handle nil observer config Signed-off-by: ruriko <[email protected]> * fix lint error Signed-off-by: ruriko <[email protected]> * rename inspector to observer and fix observer config Signed-off-by: ruriko <[email protected]> * enable constraint config to control enforce/inform mode per constraint (#14) * fix typo Signed-off-by: ruriko <[email protected]> * update to enforce/observe according to constraint config Signed-off-by: ruriko <[email protected]> * enable image verification Signed-off-by: ruriko <[email protected]> * rename ishield-server to shield and change dir structure Signed-off-by: ruriko <[email protected]> * rename dir Signed-off-by: ruriko <[email protected]> * organize dir/files Signed-off-by: ruriko <[email protected]> * organize dir/files Signed-off-by: ruriko <[email protected]> Co-authored-by: Steve Martinelli <[email protected]> Co-authored-by: Yuji Watanabe <[email protected]> Co-authored-by: imgbot[bot] <31301654+imgbot[bot]@users.noreply.github.com> Co-authored-by: ImgBotApp <[email protected]> * fix go.mod error and update crd version Signed-off-by: ruriko <[email protected]> * update apiVersion of IntegrityShield CRD to v1 (#345) * change IntegrityShield CRD apiVersion to v1 Signed-off-by: Hirokuni-Kitahara1 <[email protected]> * update Makefile Signed-off-by: Hirokuni-Kitahara1 <[email protected]> * fix default value in CR (#349) Signed-off-by: ruriko <[email protected]> * enable to use private rekor server (#350) Signed-off-by: ruriko <[email protected]> * enable image verification with a cosign verify-manifest function (#346) * add image package and implement image profile Signed-off-by: Hirokuni-Kitahara1 <[email protected]> * update image verification Signed-off-by: Hirokuni-Kitahara1 <[email protected]> * add sample constraint with image profile Signed-off-by: Hirokuni-Kitahara1 <[email protected]> * update image verify codes Signed-off-by: Hirokuni-Kitahara1 <[email protected]> * update image verify codes Signed-off-by: Hirokuni-Kitahara1 <[email protected]> * fix small err in cr Signed-off-by: ruriko <[email protected]> * enforce/inform mode can be set for each constraint (#351) * move constraint enforce setting into constraint parameter Signed-off-by: ruriko <[email protected]> * update operator-sdk version Signed-off-by: ruriko <[email protected]> * changed to appropriate name/parameters (#352) * rename custom resource for reporting observation results Signed-off-by: ruriko <[email protected]> * fix action param name Signed-off-by: ruriko <[email protected]> * update bundle Signed-off-by: ruriko <[email protected]> * remove 'server' from all parameters Signed-off-by: ruriko <[email protected]> * fix value in local cr Signed-off-by: ruriko <[email protected]> * change api and observer roles to the minimum privileges (#353) Signed-off-by: ruriko <[email protected]> * updated request handler (#354) * enable inScopeUsers Signed-off-by: ruriko <[email protected]> * fix err message Signed-off-by: ruriko <[email protected]> * resolve cosign warning message Signed-off-by: ruriko <[email protected]> * add e2e test (#355) * fix crd scope Signed-off-by: ruriko <[email protected]> * add e2e-test Signed-off-by: ruriko <[email protected]> * remove unneeded files Signed-off-by: ruriko <[email protected]> * remove unneeded variable Signed-off-by: ruriko <[email protected]> * Unit test/prep move (#356) * add unit-test Signed-off-by: ruriko <[email protected]> * fix Makefile for unit-test Signed-off-by: ruriko <[email protected]> * fix image registry name in unit-test Signed-off-by: ruriko <[email protected]> * Fixes to make travis build complete successfully * Fixes to make travis build complete successfully * update makefile Signed-off-by: ruriko <[email protected]> * Fixes to make travis build complete successfully - fixed image push script * update observer (#358) * add image verification to observer Signed-off-by: ruriko <[email protected]> * add param to change provenance option, update observer result detail for web ui Signed-off-by: ruriko <[email protected]> * fix operator Signed-off-by: ruriko <[email protected]> * update csv Signed-off-by: ruriko <[email protected]> * remove vulnerable pacakge Signed-off-by: ruriko <[email protected]> * update operator (#359) * change to use tmp cr to test with latest image tag Signed-off-by: ruriko <[email protected]> * update to use csv version as image tag Signed-off-by: ruriko <[email protected]> * fix csv Signed-off-by: ruriko <[email protected]> * update operator (#360) * enable to handle unexpected value in image fields Signed-off-by: ruriko <[email protected]> * fix the handling of incorrect image definitions Signed-off-by: ruriko <[email protected]> * fix build func for observer deployment Signed-off-by: ruriko <[email protected]> * update e2e-test for support remote env Signed-off-by: ruriko <[email protected]> * updated not to create psp Signed-off-by: ruriko <[email protected]> * fixed implementation error Signed-off-by: ruriko <[email protected]> * unify ISHIELD_OP_NS with ISHIELD_NS Signed-off-by: ruriko <[email protected]> * fixed implementation error Signed-off-by: ruriko <[email protected]> * fix makefile Signed-off-by: ruriko <[email protected]> * resolve conflicts Signed-off-by: ruriko <[email protected]> Co-authored-by: Tsu Phin Hee <[email protected]> Co-authored-by: Yuji Watanabe <[email protected]> Co-authored-by: [email protected] <[email protected]> Co-authored-by: hirokuni <[email protected]> Co-authored-by: Gus Parvin <[email protected]> Co-authored-by: Will Kutler <[email protected]> Co-authored-by: William Kutler <[email protected]> Co-authored-by: Steve Martinelli <[email protected]> Co-authored-by: imgbot[bot] <31301654+imgbot[bot]@users.noreply.github.com> Co-authored-by: ImgBotApp <[email protected]> Co-authored-by: OpenShift Merge Robot <[email protected]>
IBM · Oct 1, 2021 · 73c46f4 · 73c46f4
1 parent e388584
commit 73c46f4
Show file tree

Hide file tree

Showing 527 changed files with 18,692 additions and 34,014 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -4,7 +4,7 @@ service:
   - docker
 
 go:
-   - "1.14.x"
+   - "1.16.x"
 
 os:
   - linux
@@ -80,8 +80,7 @@ jobs:
           make component/test/e2e
     - stage: publish
       name: "Publish the image to quay with an official version/sha tag and publish entry to integration pipeline stage"
-      if: env(ENABLE_PUBLISH) = true AND branch = master
-      #type = push AND branch = master
+      if: env(ENABLE_PUBLISH) = true AND branch =~ /^release-[0-9]+\..*$/
       script:
         - |
           make init

diff --git a/CatalogSource.yaml b/CatalogSource.yaml
@@ -0,0 +1,13 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: new-integrity-shield-operator-catalog
+  namespace: openshift-marketplace # olm
+spec:
+  displayName: Integrity Shield++ Operator
+  image: gcr.io/clean-resource-318209/integrity-shield-operator-index:0.2.5
+  publisher: IBM
+  sourceType: grpc
+  updateStrategy:
+    registryPoll:
+      interval: 45m
diff --git a/Makefile b/Makefile
diff --git a/README.md b/README.md
@@ -1,63 +1,76 @@
-# Integrity Shield (IShield)
-
-Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It includes signature based configuration drift prevention based on [Admission Webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) on Kubernetes cluster.
-
-## Goal
-
-The goal of Integrity Shield is to provide assurance of the integrity of Kubernetes resources.  
-
-Resources on a Kubernetes cluster are defined in various form of artifacts such as YAML files, Helm charts, Operator, etc., but those artifacts may be altered maliciously or unintentionally before deploying them to cluster. 
-This could be an integrity issue. For example, some artifact may be modified to inject malicous scripts and configurations inside in stealthy manner, then admininstrator may be in risk of deploying it without knowing the falsification.
-
-Integrity Shield (IShield) provides signature-based assurance of integrity for Kubernetes resources at cluster side. IShield works as an Admission Controller which handles all incoming Kubernetes admission requests, verifies if the requests attached a signature, and blocks any unauthorized requests according to the shield policy before actually persisting in etcd.  will helps cluster adminstrator to ensure
-- Allow to deploy authorized application pakcages only
-- Allow to use signed deployment params only
-- Zero-drift in resource configuration unless allowed explicitly
-- Perform all integrity verification on cluster (admission controller, not in client side)
-- Handle variations in application packaging and deployment (Helm /Operator /YAML / OLM Channel) with no modification in app installer
-
+# integrity-shield
+Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It provides signature-based assurance of integrity for Kubernetes resources at cluster side.  
+
+Integrity Shield works with OPA/Gatekeeper, verifies if the requests attached a signature, and blocks any unauthorized requests according to the constraint before actually persisting in etcd. 
+Also, you can use the [admission controller](./webhook/admission-controller/README.md) instead of OPA/Gatekeeper.
 
 ![Scenario](./docs/ishield-scenario.png)
 
-## Quick Start
-See [Quick Start](./docs/README_QUICK.md)
-
-## Supported Platforms
-
-Integrity Shield works as Kubernetes Admission Controller using Mutating Admission Webhook, and it can run on any Kubernetes cluster by design. 
-IShield can be deployed with operator. We have verified the feasibility on the following platforms:
-
-- [RedHat OpenShift 4.5 and 4.6](https://www.openshift.com/)
-- [RedHat OpenShift 4.3 on IBM Cloud (ROKS)](https://www.openshift.com/products/openshift-ibm-cloud)
-- [IBM Kuberenetes Service (IKS)](https://www.ibm.com/cloud/container-service/) 1.17.14
-- [Minikube v1.19.1](https://kubernetes.io/docs/setup/learning-environment/minikube/)
-
-## How Integrity Shield works
-- Resources to be protected in each namespace can be defined in the custom resource called `ResourceSigningProfile`. For example, the following snippet shows an example definition of protected resources in a namespace. This `ResourceSigningProfile` resource includes the matching rule for specifiying resources to such as ConfigMap, Depoloyment, and Service in a namespace `secure-ns`, which is protected by , so any matched request to create/update those resources are verified with signature.  (see [Define Protected Resources](./docs/README_FOR_RESOURCE_SIGNING_PROFILE.md))
-
-  ```yaml
-  apiVersion: apis.integrityshield.io/v1alpha1
-  kind: ResourceSigningProfile
-  metadata:
-    name: sample-rsp
-  spec:
-    targetNamespaceSelector:
-      include:
-      - "secure-ns"
-      exclude:
-      - "kube-*"
-    protectRules:
-    - match:
-      - kind: ConfigMap
+## integrity shield api
+
+Integrity shield api includes the main logic to verify admission requests. 
+Integrity shield api receives a k8s resource from OPA/Gatekeeper, validates the resource which is included in the admission request based on the profile and sends the verification result to OPA/Gatekeeper.
+Integrity shield api uses [k8s-manifest-sigstore](https://github.com/sigstore/k8s-manifest-sigstore) internally to verify k8s manifest.
+
+You can enable the protection by integrity shield with a few simple steps.
+Please see [Usage](./shield/README.md).
+
+## gatekeeper constraint
+Integrity shield works with OPA/Gatekeeper by installing ConstraintTemplate(`template-manifestintegrityconstraint.yaml` ).
+We use [constraint framework](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraints) of OPA/Gatekeeper to define the resources to be protected.
+
+For example, the following snippet shows an example definition of protected resources in a namespace. 
+```
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: ManifestIntegrityConstraint
+metadata:
+  name: deployment-constraint
+spec:
+  match:
+    kinds:
+    - kinds: ["Deployment"]
+      apiGroups: ["apps"]
+    namespaces:
+    - "sample-ns"
+  parameters:
+    inScopeObjects:
+    - name: sample-app
+    signers:
+    - [email protected]
+    ignoreFields:
+    - objects:
       - kind: Deployment
-      - kind: Service
-  ```
-
-- Adminssion request to the protected resources is blocked at Mutating Admission Webhook, and the request is allowed only when the valid signature on the resource in the request is provided.
-- Signer can be defined for each namespace independently. Signer for cluster-scope resources can be also defined. (see [Signer Configuration](./docs/README_SIGNER_CONFIG.md).)
-- Signature is provided in the form of separate signature resource or annotation attached to the resource. (see [How to Sign Resources](./docs/README_RESOURCE_SIGNATURE.md))
-- Integrity Shield admission controller is installed in a dedicated namespace (e.g. `integrity-shield-operator-system` in this document). It can be installed by operator. (see [Integrity Shield Custom Resource](./docs/README_ISHIELD_OPERATOR_CR.md) for detail install options.)
-
-
-## Quick Start
-See [Quick Start](./docs/README_QUICK.md)
+      fields:
+      - spec.replicas
+```
+`ManifestIntegrityConstraint` resource includes the parameters field. In the parameters field, you can configure the profile for verifying resources such as ignoreFields for allowing some requests that match this rule, signers, and so on.
+
+## admission controller
+This is an admission controller for verifying k8s manifest with sigstore signing. You can use this admission controller instead of OPA/Gatekeeper.
+In this case, you can decide which resources to be protected in the custom resource called `ManifestIntegrityProfile` instead of OPA/Gatekeeper constraint.
+
+The following snippet is an example of `ManifestIntegrityProfile`.
+```
+apiVersion: apis.integrityshield.io/v1alpha1
+kind: ManifestIntegrityProfile
+metadata:
+  name: profile-configmap
+spec:
+  match:
+    kinds:
+    - kinds:
+      - ConfigMap
+    namespaces:
+    - sample-ns
+  parameters:
+    ignoreFields:
+    - fields:
+      - data.comment
+      objects:
+      - kind: ConfigMap
+    signers:
+    - [email protected]
+```
+
+You can set up the admission controller with a few simple steps. Please see [admission controller](./webhook/admission-controller/README.md).
+
diff --git a/SECURITY.md b/SECURITY.md
@@ -0,0 +1,4 @@
+# Security Response
+
+If you find a security issue that you want to address confidentially, contact the Red Hat product Security team. 
+Details at https://access.redhat.com/security/team/contact
diff --git a/build/build_bundle.sh b/build/build_bundle.sh
@@ -143,6 +143,6 @@ elif [ "${ISHIELD_ENV}" = "local" ]; then
 fi
 echo "Completed building bundle and index"
 
-targetFile="${SHIELD_OP_DIR}/bundle.Dockerfile"
-licenseFile="${SHIELD_OP_DIR}/license.txt"
+targetFile="${SHIELD_OP_DIR}bundle.Dockerfile"
+licenseFile="${SHIELD_OP_DIR}license.txt"
 $ISHIELD_REPO_ROOT/build/add_license.sh $targetFile $licenseFile