{"id":781,"date":"2018-08-19T00:05:53","date_gmt":"2018-08-18T22:05:53","guid":{"rendered":"https:\/\/blog.unetresgrossebite.com\/?p=781"},"modified":"2018-09-02T19:09:16","modified_gmt":"2018-09-02T17:09:16","slug":"signing-and-scanning-docker-images-with-openshift","status":"publish","type":"post","link":"https:\/\/blog.unetresgrossebite.com\/?p=781","title":{"rendered":"Signing and Scanning Docker Images with OpenShift"},"content":{"rendered":"<p>You may already know Docker images can be signed. Today we would discuss a way to automate images signature, using OpenShift.<\/p>\n<p>Lately, I stumbled upon a bunch of interesting repositories:<\/p>\n<li><a href=\"https:\/\/github.com\/redhat-cop\/openshift-image-signing-scanning\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/redhat-cop\/openshift-image-signing-scanning<\/a>: <em>ansible playbook configuring an OCP cluster, building a base image, setting up a service account and installing a few templates providing with docker images scanning and signing<\/em><\/li>\n<li><a href=\"https:\/\/github.com\/redhat-cop\/image-scanning-signing-service\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/redhat-cop\/image-scanning-signing-service<\/a>: <em>an optional OpenShift third-party service implementing support for ImageSigningRequest and ImageScanningRequest objects<\/em><\/li>\n<li><a href=\"https:\/\/github.com\/redhat-cop\/openshift-event-controller\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/redhat-cop\/openshift-event-controller<\/a>: <em>sources building an event controller that would watch for new images pushed to OpenShift docker registry<\/em><\/li>\n<p>Although these are amazing, I could not deploy them to my OpenShift Origin, due to missing subscriptions and packages.<\/p>\n<div id=\"attachment_785\" style=\"width: 310px\" class=\"wp-caption alignright\"><a href=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2018\/08\/image-signing-environment-overview-1.png\"><img aria-describedby=\"caption-attachment-785\" decoding=\"async\" loading=\"lazy\" class=\"wp-image-785 size-medium\" src=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2018\/08\/image-signing-environment-overview-1-300x231.png\" alt=\"image signing environment overview\" width=\"300\" height=\"231\" srcset=\"https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2018\/08\/image-signing-environment-overview-1-300x231.png 300w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2018\/08\/image-signing-environment-overview-1-768x590.png 768w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2018\/08\/image-signing-environment-overview-1-1024x787.png 1024w, https:\/\/blog.unetresgrossebite.com\/wp-content\/uploads\/2018\/08\/image-signing-environment-overview-1.png 1172w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><p id=\"caption-attachment-785\" class=\"wp-caption-text\">image signing environment overview<\/p><\/div>\n<p>In an effort to introduce CentOS support, I forked the first repository from our previous list, and started rewriting what I needed:<\/p>\n<p><a href=\"https:\/\/github.com\/faust64\/openshift-image-signing-scanning\" target=\"_blank\" rel=\"noopener\">https:\/\/github.com\/faust64\/openshift-image-signing-scanning<\/a><\/p>\n<p>&nbsp;<\/p>\n<p>A typical deployment would involve:<\/p>\n<li>Generating a GPG keypair on some server (not necessarily related to OpenShift)<\/li>\n<li>Depending on your usecase, we could then want to configure docker to prevent unsigned images from being run on our main OpenShift hosts<\/li>\n<li>Next, we would setup labels and taints identifying the nodes we trust signing images, as well as apply and install a few templates and a base image<\/li>\n<p>At which point, you could either install the event-controller Deployment to watch for all your OpenShift internal registry&#8217;s images.<\/p>\n<p>Or, you could integrate images scanning and signature yourself using the few templates installed, as shown in <a href=\"https:\/\/github.com\/redhat-cop\/image-scanning-signing-service\/blob\/master\/ci\/Jenkinsfile\" target=\"_blank\" rel=\"noopener\">a sample Jenkinsfile<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>You may already know Docker images can be signed. Today we would discuss a way to automate images signature, using OpenShift. Lately, I stumbled upon a bunch of interesting repositories: https:\/\/github.com\/redhat-cop\/openshift-image-signing-scanning: ansible playbook configuring an OCP cluster, building a base image, setting up a service account and installing a few templates providing with docker images [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[8,12,10,13,2],"tags":[],"_links":{"self":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/781"}],"collection":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=781"}],"version-history":[{"count":9,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/781\/revisions"}],"predecessor-version":[{"id":792,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=\/wp\/v2\/posts\/781\/revisions\/792"}],"wp:attachment":[{"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=781"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=781"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.unetresgrossebite.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=781"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}