利用 Tekton 链管理供应链安全
“软件工件的供应链级别”(SLSA) 是一个安全框架。 SLSA 是标准和控制的核对表,用于防止项目,企业或企业中的篡改,提高完整性以及保护软件包和基础结构。 SLSA 使您从安全到尽可能具有弹性,在链中的任何环节。
为了实现 SLSA 级别 3,Tekton 管道正在使用 Tekton 链。 Tekton 链是 Kubernetes 定制资源定义 (CRD) 控制器,可用于管理 Tekton 中的供应链安全性。 有关更多信息,请参阅 Tekton Chains 文档。
在专用工作程序上设置 Tekton 链
使用命令行来安装 Tekton 框架,专用工作程序代理程序框架和 Tekton 链框架。 将 &chains=true 添加到命令行以安装专用工作程序框架。 例如,在 IBM Cloud Kubernetes Service 集群上,可以使用以下命令:
kubectl apply --filename "https://private-worker-service.{REGION}.devops.cloud.ibm.com/install?type=iks&olm=false&chains=true"
请参阅以下示例输出:
namespace/tekton-pipelines created
clusterrole.rbac.authorization.k8s.io/tekton-pipelines-controller-cluster-access created
clusterrole.rbac.authorization.k8s.io/tekton-pipelines-controller-tenant-access created
clusterrole.rbac.authorization.k8s.io/tekton-pipelines-webhook-cluster-access created
role.rbac.authorization.k8s.io/tekton-pipelines-controller created
role.rbac.authorization.k8s.io/tekton-pipelines-webhook created
role.rbac.authorization.k8s.io/tekton-pipelines-leader-election created
role.rbac.authorization.k8s.io/tekton-pipelines-info created
serviceaccount/tekton-pipelines-controller created
serviceaccount/tekton-pipelines-webhook created
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller-cluster-access created
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller-tenant-access created
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipelines-webhook-cluster-access created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-webhook created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-controller-leaderelection created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-webhook-leaderelection created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-info created
customresourcedefinition.apiextensions.k8s.io/clustertasks.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/customruns.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/pipelines.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/pipelineruns.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/resolutionrequests.resolution.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/tasks.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/taskruns.tekton.dev created
customresourcedefinition.apiextensions.k8s.io/verificationpolicies.tekton.dev created
secret/webhook-certs created
validatingwebhookconfiguration.admissionregistration.k8s.io/validation.webhook.pipeline.tekton.dev created
mutatingwebhookconfiguration.admissionregistration.k8s.io/webhook.pipeline.tekton.dev created
validatingwebhookconfiguration.admissionregistration.k8s.io/config.webhook.pipeline.tekton.dev created
clusterrole.rbac.authorization.k8s.io/tekton-aggregate-edit created
clusterrole.rbac.authorization.k8s.io/tekton-aggregate-view created
configmap/config-defaults created
configmap/feature-flags created
configmap/pipelines-info created
configmap/config-leader-election created
configmap/config-logging created
configmap/config-observability created
configmap/config-registry-cert created
configmap/config-spire created
deployment.apps/tekton-pipelines-controller created
service/tekton-pipelines-controller created
namespace/tekton-pipelines-resolvers created
clusterrole.rbac.authorization.k8s.io/tekton-pipelines-resolvers-resolution-request-updates created
role.rbac.authorization.k8s.io/tekton-pipelines-resolvers-namespace-rbac created
serviceaccount/tekton-pipelines-resolvers created
clusterrolebinding.rbac.authorization.k8s.io/tekton-pipelines-resolvers created
rolebinding.rbac.authorization.k8s.io/tekton-pipelines-resolvers-namespace-rbac created
configmap/bundleresolver-config created
configmap/cluster-resolver-config created
configmap/resolvers-feature-flags created
configmap/config-leader-election created
configmap/config-logging created
configmap/config-observability created
configmap/git-resolver-config created
configmap/hubresolver-config created
deployment.apps/tekton-pipelines-remote-resolvers created
horizontalpodautoscaler.autoscaling/tekton-pipelines-webhook created
deployment.apps/tekton-pipelines-webhook created
service/tekton-pipelines-webhook created
customresourcedefinition.apiextensions.k8s.io/batchpolls.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/cryptodetectors.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/pwtaskruns.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/localpipelines.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/workeragents.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/pwaconfigs.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/taskpayloads.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/cdpipelineruns.devops.cloud.ibm.com created
customresourcedefinition.apiextensions.k8s.io/steplogs.devops.cloud.ibm.com created
configmap/private-worker-agent-config-defaults created
deployment.apps/private-worker-agent created
role.rbac.authorization.k8s.io/private-worker-agent created
rolebinding.rbac.authorization.k8s.io/private-worker-agent created
serviceaccount/private-worker-agent created
clusterrolebinding.rbac.authorization.k8s.io/pwa-manager-rolebinding created
clusterrole.rbac.authorization.k8s.io/manager-role created
clusterrolebinding.rbac.authorization.k8s.io/external-secret-update-role created
serviceaccount/external-secret-update-role created
job.batch/extsecret-install-1697655985441 created
namespace/tekton-chains created
secret/signing-secrets created
configmap/chains-config created
deployment.apps/tekton-chains-controller created
clusterrolebinding.rbac.authorization.k8s.io/tekton-chains-controller-cluster-access created
clusterrole.rbac.authorization.k8s.io/tekton-chains-controller-cluster-access created
clusterrole.rbac.authorization.k8s.io/tekton-chains-controller-tenant-access created
clusterrolebinding.rbac.authorization.k8s.io/tekton-chains-controller-tenant-access created
serviceaccount/tekton-chains-controller created
role.rbac.authorization.k8s.io/tekton-chains-leader-election created
rolebinding.rbac.authorization.k8s.io/tekton-chains-controller-leaderelection created
role.rbac.authorization.k8s.io/tekton-chains-info created
rolebinding.rbac.authorization.k8s.io/tekton-chains-info created
configmap/chains-info created
configmap/config-logging created
configmap/tekton-chains-config-observability created
service/tekton-chains-metrics created
接下来,您需要设置用于由 Tekton Chains 签名的专用和公用密钥对。 有关更多信息,请参阅 Tekton Chains 文档。
触发 Tekton 链
要触发管道的 Tekton 链,请将任务结果添加到 Tekton 任务定义。 您需要两个任务结果:
- 名称与
*_IMAGE_DIGEST匹配的名称 - 名称与
*_IMAGE_URL匹配的名称
例如:
...
results:
- name: APP_IMAGE_DIGEST
description: The digest of the built image
- name: APP_IMAGE_URL
description: The url of the built image
...
您的任务需要在其脚本中设置这两个结果。 您还可以使用 Tekton Chains 使用的任何机制。
将认证推送到映像注册表
缺省情况下,Tekton 链配置为将认证和签名保存到 oci 注册表。 如果要更改缺省行为,请编辑位于 tekton-chains 名称空间中的配置映射 chains-config。 有关更多信息,请参阅 Tekton Chains 文档。
验证签名
要验证签名,您可以使用 cosign,如 Chain Signal Provenance Tutorial 中所述。
在受管工作程序上运行时,可以使用专用工作程序端点 https://private-worker-service.{REGION}.devops.cloud.ibm.com/chains/public_key 来检索用于验证的公用密钥。 您可以将此端点返回的内容保存到文件中,并在 cosign 命令行中将该文件用作公用密钥。
下载签名和认证
要获取认证或签名本身,需要将 cosign 工具与命令 download signature 或 download attestation 配合使用。