Skip to main content
Version: Next

Verify Artifacts

verify images

Karmada has introduced cosign to verify the released images since version v1.7. The specific operation is as follows:

Prerequisites

You need to install the following tools:

Verify image signature

Verify image with cosign CLI

Karmada introduced the cosign verification tool since release 1.7. For a list of published mirrors, see karmada mirrors.

Select an image from these images and verify its signature using cosign verify command:

cosign verify docker.io/karmada/karmada-aggregated-apiserver:latest \
--certificate-oidc-issuer=https://token.actions.githubusercontent.com \
--certificate-identity-regexp=^https://github.com/karmada-io/karmada/.*$ | jq

If the echo is as follows, the verification is successful:

Verification for index.docker.io/karmada/karmada-aggregated-apiserver:latest --
The following checks were performed on each of these signatures:
- The cosign claims were validated
- Existence of the claims in the transparency log was verified offline
- The code-signing certificate was verified using trusted certificate authority certificates
[
{
"critical": {
"identity": {
"docker-reference": "index.docker.io/karmada/karmada-aggregated-apiserver"
},
"image": {
"docker-manifest-digest": "sha256:c6d85e111e1ca4da234e87fb48f8ff170c918a0e6893d9ac9e888a4e7cc0056f"
},
"type": "cosign container image signature"
},
"optional": {
"1.3.6.1.4.1.57264.1.1": "https://token.actions.githubusercontent.com",
"1.3.6.1.4.1.57264.1.2": "push",
"1.3.6.1.4.1.57264.1.3": "e5277b6317ac1a4717f5fac4057caf51a5d248fc",
"1.3.6.1.4.1.57264.1.4": "latest image to DockerHub",
"1.3.6.1.4.1.57264.1.5": "karmada-io/karmada",
"1.3.6.1.4.1.57264.1.6": "refs/heads/master",
"Bundle": {
"SignedEntryTimestamp": "MEYCIQD4R9XlhgQkjVAg4XuW857iqkNrSxbQB9k3x4Ie8IshgAIhAILn8m+eOAjYxxcpFU42ghoiiuMnyY+Xda2CBE5WZruq",
"Payload": {
...

When you are done validating an image, you can specify that image in your Pod manifest by a digest value, for example:

registry-url/image-name@sha256:c6d85e111e1ca4da234e87fb48f8ff170c918a0e6893d9ac9e888a4e7cc0056f

For more information, please refer to k8s image pull policy chapter how to specify the image summary to pull the image.

Use the admission controller to verify the image signature

The image verification process can also be implemented using the sigstore policy-controller controller during deployment. Here are some resources to help you get started with policy-controller:

SBOM

An SBOM, or Software Bill of Materials, is an inventory of all components within a software resource, such as third-party libraries or modules. It has emerged as a key building block in software security and supply chain risk management.

Starting with release v1.10.2, the SBOM for Karmada projects will be available in Karmada's release Assets. Integrated with different tools, we can get the information on:

  • List of Components and Dependencies
  • Version Information
  • Licenses
  • Dependency Trees/Graphs

Below are two examples of using tools to parse karmada's SBOM.

Prerequisites

You need to install the following tools:

And then, unzip sbom.tar.gz and get the SBOM in it.

$ tar -zxvf sbom.tar.gz
sbom-karmada.spdx

View the structure of the information contained in the SBOM

Using bom document outline, SBOM contents can be rendered to see how the information they contain is structured.

$ bom document outline sbom-karmada.spdx
_
___ _ __ __| |_ __
/ __| '_ \ / _` \ \/ /
\__ \ |_) | (_| |> <
|___/ .__/ \__,_/_/\_\
|_|

📂 SPDX Document /github/workspace

│ 📦 DESCRIBES 1 Packages

├ /github/workspace
│ │ 🔗 2 Relationships
│ ├ CONTAINS PACKAGE go.mod
│ │ │ 🔗 1 Relationships
│ │ └ CONTAINS PACKAGE github.com/karmada-io/karmada
│ │ │ │ 🔗 186 Relationships
│ │ │ ├ DEPENDS_ON PACKAGE github.com/go-task/slim-sprig@0.0.0-20230315185526-52ccab3ef572
│ │ │ ├ DEPENDS_ON PACKAGE sigs.k8s.io/structured-merge-diff/v4@4.4.1
│ │ │ ├ DEPENDS_ON PACKAGE k8s.io/apimachinery@0.29.4
│ │ │ ├ DEPENDS_ON PACKAGE k8s.io/kube-openapi@0.0.0-20231010175941-2dd684a91f00
......

Scan SBOM for vulnerabilities

Trivy can take SBOM as an input and scan for vulnerabilities.

$ trivy sbom sbom-karmada.spdx
2024-07-01T17:00:36+08:00 INFO Need to update DB
2024-07-01T17:00:36+08:00 INFO Downloading DB... repository="ghcr.io/aquasecurity/trivy-db:2"
49.28 MiB / 49.28 MiB [-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------] 100.00% 1.26 MiB p/s 39s
2024-07-01T17:01:17+08:00 INFO Vulnerability scanning is enabled
2024-07-01T17:01:17+08:00 INFO Detected SBOM format format="spdx-tv"
2024-07-01T17:01:17+08:00 INFO Number of language-specific files num=3
2024-07-01T17:01:17+08:00 INFO [gobinary] Detecting vulnerabilities...
2024-07-01T17:01:17+08:00 INFO [gomod] Detecting vulnerabilities...
2024-07-01T17:01:17+08:00 INFO [pip] Detecting vulnerabilities...

If the echo is as above, it shows that software components and dependencies in the Karmada project filesystem have no known security vulnerabilities. If you wish to ignore vulnerabilities that don't have a fixed version, you can add --ignore-unfixed, e.g.

$ trivy sbom sbom-karmada.spdx --ignore-unfixed