This topic guides you through configuring your Tanzu Application Platform (commonly known as TAP) supply chain to sign and verify your image builds.
Use Cosign to configure Tanzu Build Service to sign your container image builds. For instructions, see Configure Tanzu Build Service to sign your image builds.
Create a values.yaml
file, and install the Supply Chain Security Tools - Policy Controller. For instructions, see Install Supply Chain Security Tools - Policy Controller.
Create a ClusterImagePolicy
that passes Tanzu Application Platform images. It is planned for a future release for these to be signed and verifiable, but currently we recommend creating a policy to pass them:
For example:
kubectl apply -f - -o yaml << EOF
---
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: image-policy-exceptions
spec:
images:
- glob: registry.example.org/myproject/*
- glob: REPO-NAME*
authorities:
- static:
action: pass
EOF
Where:
REPO-NAME
is the repository in your registry where Tanzu Build Service dependencies are stored. This is the exact same value configured in the kp_default_repository
inside your tap-values.yaml
or tbs-values.yaml
files. Examples:
"my-harbor.io/my-project/build-service"
."my-dockerhub-user/build-service"
or "index.docker.io/my-user/build-service"
."gcr.io/my-project/build-service"
.Add any unsigned image that must run in your namespace to the previous policy. For example, if you add a Tekton pipeline that runs a Gradle image for testing, you need to add glob: index.docker.io/library/gradle*
to spec.images.glob
in the preceding code.
Replace registry.example.org/myproject/*
with your target registry for your Tanzu Application Platform images.
Configure and apply a ClusterImagePolicy
resource to the cluster to verify image signatures when deploying resources. For instructions, see Create a ClusterImagePolicy resource.
For example:
kubectl apply -f - -o yaml << EOF
---
apiVersion: policy.sigstore.dev/v1beta1
kind: ClusterImagePolicy
metadata:
name: example-policy
spec:
images:
- glob: registry.example.org/myproject/*
authorities:
- key:
data: |
-----BEGIN PUBLIC KEY-----
<content ...>
-----END PUBLIC KEY-----
EOF
Enable the policy controller verification in your namespace by adding the label policy.sigstore.dev/include: "true"
to the namespace resource.
For example:
kubectl label namespace YOUR-NAMESPACE policy.sigstore.dev/include=true
Where YOUR-NAMESPACE
is the name of your secure namespace.
NoteSupply Chain Security Tools - Policy Controller only validates resources in namespaces that have chosen to opt in.
When you apply the ClusterImagePolicy
resource, your cluster requires valid signatures for all images that match the spec.images.glob[]
you define in the configuration. For more information about configuring an image policy, see Configuring Supply Chain Security Tools - Policy.
Or learn more about Supply Chain Security Tools: