Configure image signing and verification in your supply chain

This topic guides you through configuring your Tanzu Application Platform (commonly known as TAP) supply chain to sign and verify your image builds.

What you will do

• Configure your supply chain to sign your image builds.
• Configure an admission control policy to verify image signatures before admitting pods to the cluster.

Configure your supply chain to sign and verify your image builds

1. Use Cosign to configure Tanzu Build Service to sign your container image builds. For instructions, see Configure Tanzu Build Service to sign your image builds.

2. Create a values.yaml file, and install the Supply Chain Security Tools - Policy Controller. For instructions, see Install Supply Chain Security Tools - Policy Controller.

3. Create a ClusterImagePolicy that passes Tanzu Application Platform images. It is planned for a future release for these to be signed and verifiable, but currently we recommend creating a policy to pass them:

   For example:

   kubectl apply -f - -o yaml << EOF
   ---
   apiVersion: policy.sigstore.dev/v1beta1
   kind: ClusterImagePolicy
   metadata:
     name: image-policy-exceptions
   spec:
     images:
     - glob: registry.example.org/myproject/*
     - glob: REPO-NAME*
     authorities:
     - static:
         action: pass
   EOF
   

   Where:

   • REPO-NAME is the repository in your registry where Tanzu Build Service dependencies are stored. This is the exact same value configured in the kp_default_repository inside your tap-values.yaml or tbs-values.yaml files. Examples:

     • Harbor has the form "my-harbor.io/my-project/build-service".
     • Docker Hub has the form "my-dockerhub-user/build-service" or "index.docker.io/my-user/build-service".
     • Google Cloud Registry has the form "gcr.io/my-project/build-service".

   • Add any unsigned image that must run in your namespace to the previous policy. For example, if you add a Tekton pipeline that runs a Gradle image for testing, you need to add glob: index.docker.io/library/gradle* to spec.images.glob in the preceding code.

   • Replace registry.example.org/myproject/* with your target registry for your Tanzu Application Platform images.

4. Configure and apply a ClusterImagePolicy resource to the cluster to verify image signatures when deploying resources. For instructions, see Create a ClusterImagePolicy resource.

   For example:

   kubectl apply -f - -o yaml << EOF
   ---
   apiVersion: policy.sigstore.dev/v1beta1
   kind: ClusterImagePolicy
   metadata:
     name: example-policy
   spec:
     images:
     - glob: registry.example.org/myproject/*
     authorities:
     - key:
         data: |
           -----BEGIN PUBLIC KEY-----
           <content ...>
           -----END PUBLIC KEY-----
   EOF
   

5. Enable the policy controller verification in your namespace by adding the label policy.sigstore.dev/include: "true" to the namespace resource.

   For example:

   kubectl label namespace YOUR-NAMESPACE policy.sigstore.dev/include=true
   

   Where YOUR-NAMESPACE is the name of your secure namespace.

   Note

   Supply Chain Security Tools - Policy Controller only validates resources in namespaces that have chosen to opt in.

When you apply the ClusterImagePolicy resource, your cluster requires valid signatures for all images that match the spec.images.glob[] you define in the configuration. For more information about configuring an image policy, see Configuring Supply Chain Security Tools - Policy.

Next steps

• Consume services on Tanzu Application Platform

Or learn more about Supply Chain Security Tools:

• Overview for Supply Chain Security Tools - Policy
• Configuring Supply Chain Security Tools - Policy
• Supply Chain Security Tools - Policy known issues