### Cosign Configuration Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md Example configuration for Connaisseur's values.yaml file using Cosign. ```yaml # the `default` validator is used if no validator is specified in image policy - name: default type: cosign # or other supported validator (e.g. "cosign") trustRoots: # the `default` key is used if no key is specified in image policy - name: default key: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvtc/qpHtx7iUUj+rRHR99a8mnGni qiGkmUb9YpWWTS4YwlvwdmMDiGzcsHiDOYz6f88u2hCRF5GUCvyiZAKrsA== -----END PUBLIC KEY----- #cert: | # in case the trust data host is using a self-signed certificate # -----BEGIN CERTIFICATE----- # ... # -----END CERTIFICATE----- #auth: # credentials in case the trust data requires authentication # # either (preferred solution) # secretName: mysecret # reference a k8s secret in the form required by the validator type (check the docs) # # or (only for notaryv1 validator) # username: myuser # password: mypass ``` -------------------------------- ### Connaisseur Output Example Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Example output of 'kubectl get all -n connaisseur' showing running pods, service, deployment, and replicaset. ```bash NAME READY STATUS RESTARTS AGE pod/connaisseur-deployment-78d8975596-42tkw 1/1 Running 0 22s pod/connaisseur-deployment-78d8975596-5c4c6 1/1 Running 0 22s pod/connaisseur-deployment-78d8975596-kvrj6 1/1 Running 0 22s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/connaisseur-svc ClusterIP 10.108.220.34 443/TCP 22s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/connaisseur-deployment 3/3 3 3 22s NAME DESIRED CURRENT READY AGE replicaset.apps/connaisseur-deployment-78d8975596 3 3 3 22s ``` -------------------------------- ### Sign image with Cosign Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md This command demonstrates signing an image using Cosign with a specified private key file. ```bash cosign sign --key cosign.key ${IMAGE} ``` -------------------------------- ### Makefile Install Command Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Command to install Connaisseur using the Makefile. ```bash make install ``` -------------------------------- ### Create and push a test image Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md This snippet shows how to pull, tag, and push a test image using Docker. It includes a placeholder for the image name and a note about Docker Content Trust. ```bash # Typically, IMAGE=//:, like IMAGE=docker.io/securesystemsengineering/demo:test docker pull hello-world docker image tag hello-world ${IMAGE} docker push ${IMAGE} ``` -------------------------------- ### Example Validator and Policy Configuration Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md A minimal example demonstrating validator and policy configuration, including rules for matching images and specifying validators and trust roots. ```yaml application: validators: - name: default # validator 1 trustRoots: - name: default # key 1 key: | ... - name: myvalidator # validator 2 trustRoots: - name: default # key 2 key: | ... - name: mykey # key 3 key: | ... policy: - pattern: "*:*" # rule 1 - pattern: "docker.io/myrepo/*:*" # rule 2 validator: myvalidator - pattern: "docker.io/myrepo/myimg:*" # rule 3 validator: myvalidator with: trustRoot: mykey ``` -------------------------------- ### Attempt to deploy an unsigned image Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md This command demonstrates attempting to deploy an unsigned image, which should be denied by Connaisseur. ```bash kubectl run test --image=${IMAGE} ``` -------------------------------- ### Setup the preliminary hook Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Applies the preliminary hook resources for Connaisseur deployment. ```bash kubectl apply -f deploy.yaml -l "app.kubernetes.io/component=connaisseur-init" -n connaisseur ``` -------------------------------- ### Clone Repository and Navigate Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md Clones the Connaisseur repository and changes the current directory to the repository root. ```bash git clone https://github.com/sse-secure-systems/connaisseur.git cd connaisseur ``` -------------------------------- ### Output of getting the public root key Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/notaryv1.md This is an example of the output when using the get_root_key utility, showing the KeyID and the public key in PEM format. ```bash KeyID: 76d211ff8d2317d78ee597dbc43888599d691dbfd073b8226512f0e9848f2508 Key: -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsx28WV7BsQfnHF1kZmpdCTTLJaWe d0CA+JOi8H4REuBaWSZ5zPDe468WuOJ6f71E7WFg3CVEVYHuoZt2UYbN/Q== -----END PUBLIC KEY----- ``` -------------------------------- ### Install Connaisseur with custom values.yaml Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Installs Connaisseur with a custom 'values.yaml' file for configuration. ```bash helm install connaisseur connaisseur/connaisseur --rollback-on-failure --create-namespace --namespace connaisseur -f values.yaml ``` -------------------------------- ### Prometheus Metrics Example Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/features/metrics.md Example output of the \/metrics endpoint, showing Connaisseur-specific metrics and Go runtime metrics. ```text # HELP connaisseur_requests_admitted_total The total number of admission requests that were admitted # TYPE connaisseur_requests_admitted_total counter connaisseur_requests_admitted_total 3 # HELP connaisseur_requests_denied_total The total number of admission requests that were denied # TYPE connaisseur_requests_denied_total counter connaisseur_requests_denied_total{timeout="false"} 4 # HELP connaisseur_requests_total The total number of admission requests posed to Connaisseur # TYPE connaisseur_requests_total counter connaisseur_requests_total 7 # HELP connaisseur_validations_failed_total The total number of image validations that failed # TYPE connaisseur_validations_failed_total counter connaisseur_validations_failed_total{type="notaryv1",validator_name="dockerhub"} 2 connaisseur_validations_failed_total{type="static",validator_name="deny"} 2 # HELP connaisseur_validations_skipped_total The total number of image validations that were skipped # TYPE connaisseur_validations_skipped_total counter connaisseur_validations_skipped_total{reason="automatic approval of child image reference",type="notaryv1",validator_name="dockerhub"} 2 # HELP connaisseur_validations_successful_total The total number of image validations that were successful # TYPE connaisseur_validations_successful_total counter connaisseur_validations_successful_total{type="notaryv1",validator_name="dockerhub"} 3 # HELP connaisseur_validations_total The total number of image validations performed by Connaisseur # TYPE connaisseur_validations_total counter connaisseur_validations_total{result="error",type="notaryv1",validator_name="dockerhub"} 2 connaisseur_validations_total{result="error",type="static",validator_name="deny"} 2 connaisseur_validations_total{result="success",type="notaryv1",validator_name="dockerhub"} 3 # HELP go_gc_duration_seconds A summary of the wall-time pause (stop-the-world) duration in garbage collection cycles. # TYPE go_gc_duration_seconds summary go_gc_duration_seconds{quantile="0"} 0.000120088 go_gc_duration_seconds{quantile="0.25"} 0.000364499 go_gc_duration_seconds{quantile="0.5"} 0.000666734 go_gc_duration_seconds{quantile="0.75"} 0.001108909 go_gc_duration_seconds{quantile="1"} 0.001615903 go_gc_duration_seconds_sum 0.007242773 go_gc_duration_seconds_count 9 # HELP go_gc_gogc_percent Heap size target percentage configured by the user, otherwise 100. This value is set by the GOGC environment variable, and the runtime/debug.SetGCPercent function. Sourced from \/gc\/gogc:percent. # TYPE go_gc_gogc_percent gauge go_gc_gogc_percent 100 # HELP go_gc_gomemlimit_bytes Go runtime memory limit configured by the user, otherwise math.MaxInt64. This value is set by the GOMEMLIMIT environment variable, and the runtime/debug.SetMemoryLimit function. Sourced from \/gc\/gomemlimit:bytes. # TYPE go_gc_gomemlimit_bytes gauge go_gc_gomemlimit_bytes 9.223372036854776e+18 # HELP go_goroutines Number of goroutines that currently exist. # TYPE go_goroutines gauge go_goroutines 18 # HELP go_info Information about the Go environment. # TYPE go_info gauge go_info{version="go1.25.8"} 1 # HELP go_memstats_alloc_bytes Number of bytes allocated in heap and currently in use. Equals to \/memory\/classes\/heap\/objects:bytes. # TYPE go_memstats_alloc_bytes gauge go_memstats_alloc_bytes 7.347368e+06 # HELP go_memstats_alloc_bytes_total Total number of bytes allocated in heap until now, even if released already. Equals to \/gc\/heap\/allocs:bytes. # TYPE go_memstats_alloc_bytes_total counter go_memstats_alloc_bytes_total 2.361952e+07 # HELP go_memstats_buck_hash_sys_bytes Number of bytes used by the profiling bucket hash table. Equals to \/memory\/classes\/profiling\/buckets:bytes. # TYPE go_memstats_buck_hash_sys_bytes gauge go_memstats_buck_hash_sys_bytes 1.461774e+06 # HELP go_memstats_frees_total Total number of heap objects frees. Equals to \/gc\/heap\/frees:objects + \/gc\/heap\/tiny\/allocs:objects. # TYPE go_memstats_frees_total counter go_memstats_frees_total 164143 # HELP go_memstats_gc_sys_bytes Number of bytes used for garbage collection system metadata. Equals to \/memory\/classes\/metadata\/other:bytes. # TYPE go_memstats_gc_sys_bytes gauge go_memstats_gc_sys_bytes 3.930896e+06 # HELP go_memstats_heap_alloc_bytes Number of heap bytes allocated and currently in use, same as go_memstats_alloc_bytes. Equals to \/memory\/classes\/heap\/objects:bytes. # TYPE go_memstats_heap_alloc_bytes gauge go_memstats_heap_alloc_bytes 7.347368e+06 # HELP go_memstats_heap_idle_bytes Number of heap bytes waiting to be used. Equals to \/memory\/classes\/heap\/released:bytes + \/memory\/classes\/heap\/free:bytes. ``` -------------------------------- ### Generate Cosign key pair Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md Command to generate a public-private key pair for Cosign. ```bash cosign generate-key-pair ``` -------------------------------- ### Connaisseur denial errors Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md Examples of error messages received when Connaisseur denies the deployment of an unsigned image. ```bash Error from server: admission webhook "connaisseur-svc.connaisseur.svc" denied the request: Unable to get root trust data from default. # or Error from server: admission webhook "connaisseur-svc.connaisseur.svc" denied the request: No trust data for image "docker.io/securesystemsengineering/demo:test". # or Error from server: admission webhook "connaisseur-svc.connaisseur.svc" denied the request: could not find signed digest for image "docker.io/securesystemsengineering/demo:test" in trust data. ``` -------------------------------- ### Check Connaisseur Deployment Status Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md Verifies that Connaisseur pods and services are running in the 'connaisseur' namespace. ```bash kubectl get all -n connaisseur ``` -------------------------------- ### Example Cache Configuration Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/features/caching.md This example shows how to configure the cache settings in `charts/connaisseur/values.yaml`, setting the expiry to 15 seconds and disabling caching of errors. ```yaml application: features: cache: expirySeconds: 15 cacheErrors: false ``` -------------------------------- ### Create a self-signed certificate Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/notation.md Example of creating a self-signed certificate using the Notation CLI for testing purposes. ```bash # Create a self-signed certificate notation cert generate-test --default "mykey" ``` -------------------------------- ### Install Connaisseur Helm chart Source: https://github.com/sse-secure-systems/connaisseur/blob/master/charts/connaisseur/README.md Install the Connaisseur Helm chart. ```console helm install connaisseur connaisseur/connaisseur --rollback-on-failure --create-namespace --namespace connaisseur ``` -------------------------------- ### charts/connaisseur/values.yaml Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Example of adding authentication to a validator configuration using a Kubernetes secret. ```yaml auth: secretName: k8ssecret ``` -------------------------------- ### charts/connaisseur/values.yaml Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Example configuration for Connaisseur policies, demonstrating different patterns, validators, and additional parameters. ```yaml application: policy: - pattern: "*:*" - pattern: "docker.io/myrepo/*:*" validator: myvalidator with: trustRoot: mykey - pattern: "docker.io/myrepo/deniedimage:*" validator: deny - pattern: "docker.io/myrepo/allowedimage:v*" validator: allow with: mode: insecureValidateOnly ``` -------------------------------- ### Install Connaisseur via Helm Source: https://github.com/sse-secure-systems/connaisseur/blob/master/README.md Installs Connaisseur using Helm, ensuring rollback on failure and creating the namespace if it doesn't exist. ```bash helm install connaisseur helm --rollback-on-failure --create-namespace --namespace connaisseur ``` -------------------------------- ### charts/connaisseur/values.yaml Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Example configuration for notaryv1 and cosign validators in Connaisseur. ```yaml application: validators: - name: default type: notaryv1 host: notary.docker.io trustRoots: - name: default key: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsx28WV7BsQfnHF1kZmpdCTTLJaWe d0CA+JOi8H4REuBaWSZ5zPDe468WuOJ6f71E7WFg3CVEVYHuoZt2UYbN/Q== -----END PUBLIC KEY----- auth: username: superuser password: lookatmeimjumping - name: myvalidator type: cosign trustRoots: - name: mykey key: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEIFXO1w6oj0oI2Fk9SiaNJRKTiO9d ksm6hFczQAq+FDdw0istEdCwcHO61O/0bV+LC8jqFoomA28cT+py6FcSYw== -----END PUBLIC KEY----- ``` -------------------------------- ### charts/connaisseur/values.yaml Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Example configuration for static validators (allowlist and denylist) in Connaisseur. ```yaml application: validators: - name: allow type: static approve: true - name: deny type: static approve: false ``` -------------------------------- ### charts/connaisseur/values.yaml Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Example configuration for validating only own images and denying all others, including validator definitions and policy rules. ```yaml application: validators: - name: allow type: static approve: true - name: default type: notaryv1 # or e.g. 'cosign' host: notary.docker.io # only required in case of notaryv1 trustRoots: - name: default key: | # your public key below -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEvtc/qpHtx7iUUj+rRHR99a8mnGni qiGkmUb9YpWWTS4YwlvwdmMDiGzcsHiDOYz6f88u2hCRF5GUCvyiZAKrsA== -----END PUBLIC KEY----- - name: dockerhub_basics type: notaryv1 host: notary.docker.io trustRoots: - name: securesystemsengineering_official key: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEsx28WV7BsQfnHF1kZmpdCTTLJaWe d0CA+JOi8H4REuBaWSZ5zPDe468WuOJ6f71E7WFg3CVEVYHuoZt2UYbN/Q== -----END PUBLIC KEY----- policy: - pattern: "*:*" - pattern: "registry.k8s.io/*:*" validator: allow - pattern: "docker.io/securesystemsengineering/*:" validator: dockerhub_basics with: trustRoot: securesystemsengineering_official ``` -------------------------------- ### Environment Variables for Other KMS Providers Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/sigstore_cosign.md Example configuration in values.yaml for injecting environment variables for KMS authentication, such as for Vault. ```yaml charts/connaisseur/values.yaml envs: VAULT_ADDR: myvault.com VAULT_TOKEN: secrettoken ``` -------------------------------- ### Docker Content Trust Configuration Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md Example configuration for Connaisseur's values.yaml file using Docker Content Trust (Notary v1). ```yaml # the `default` validator is used if no validator is specified in image policy - name: default type: notaryv1 # or other supported validator (e.g. "cosign") host: notary.docker.io # configure the notary server to be used trustRoots: # the `default` key is used if no key is specified in image policy - name: default key: | -----BEGIN PUBLIC KEY----- MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELDzXwqie/P66R3gVpFDWMhxOyol5 YWD/KWnAaEIcJVTYUR+21NJSZz0yL7KLGrv50H9kHai5WWVsVykOZNoZYQ== -----END PUBLIC KEY----- #cert: | # in case the trust data host is using a self-signed certificate # -----BEGIN CERTIFICATE----- # ... # -----END CERTIFICATE----- #auth: # credentials in case the trust data requires authentication # # either (preferred solution) # secretName: mysecret # reference a k8s secret in the form required by the validator type (check the docs) # # or (only for notaryv1 validator) # username: myuser # password: mypass ``` -------------------------------- ### Deploy core resources Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Applies the core Connaisseur resources. ```bash kubectl apply -f deploy.yaml -l "app.kubernetes.io/component=connaisseur-core" -n connaisseur ``` -------------------------------- ### Render Kubernetes manifests from Helm templates Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Renders Kubernetes resources from Helm templates into a single 'deploy.yaml' file. ```bash helm template helm -n connaisseur > deploy.yaml ``` -------------------------------- ### Push image with Docker Content Trust Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md This command shows how to push an image while enabling Docker Content Trust, which is necessary for signing. ```bash docker push ${IMAGE} --disable-content-trust=false ``` -------------------------------- ### Run a Docker official image Source: https://github.com/sse-secure-systems/connaisseur/blob/master/charts/connaisseur/README.md Run an official Docker image like hello-world, which should succeed due to default configuration. ```console kubectl run hello-world --image=docker.io/hello-world ``` -------------------------------- ### Generate Docker Content Trust (DCT) root key pair Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/getting_started.md Command to generate a public-private root key pair for Docker Content Trust. ```bash docker trust key generate root ``` -------------------------------- ### Run a Test Image Signed with a Different Key Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/sigstore_cosign.md Kubectl command to run a test image signed with an alternative key. ```bash kubectl run altsigned --image=docker.io/securesystemsengineering/testimage:co-signed-alt ``` -------------------------------- ### Example of detection mode in action Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/features/detection_mode.md Demonstrates how kubectl behaves when an unsigned image is run in detection mode, showing a warning message. ```bash kubectl run unsigned --image=docker.io/securesystemsengineering/testimage:unsigned > Warning: Unable to find signed digest for image docker.io/securesystemsengineering/testimage:unsigned. (not denied due to DETECTION_MODE) > pod/unsigned created ``` -------------------------------- ### Create target namespace Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Creates the 'connaisseur' namespace for the deployment. ```bash kubectl create namespace connaisseur ``` -------------------------------- ### Prometheus Metrics Example Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/features/metrics.md An example of metrics exposed by Connaisseur in Prometheus exposition format. ```text # TYPE process_start_time_seconds gauge process_start_time_seconds 1.77280778538e+09 # HELP process_virtual_memory_bytes Virtual memory size in bytes. # TYPE process_virtual_memory_bytes gauge process_virtual_memory_bytes 1.341710336e+09 # HELP process_virtual_memory_max_bytes Maximum amount of virtual memory available in bytes. # TYPE process_virtual_memory_max_bytes gauge process_virtual_memory_max_bytes 1.8446744073709552e+19 # HELP promhttp_metric_handler_requests_in_flight Current number of scrapes being served. # TYPE promhttp_metric_handler_requests_in_flight gauge promhttp_metric_handler_requests_in_flight 1 # HELP promhttp_metric_handler_requests_total Total number of scrapes by HTTP status code. # TYPE promhttp_metric_handler_requests_total counter promhttp_metric_handler_requests_total{code="200"} 1 promhttp_metric_handler_requests_total{code="500"} 0 promhttp_metric_handler_requests_total{code="503"} 0 ``` -------------------------------- ### Validator Configuration Example Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/adr/ADR-4_modular.md Example of how the 'validators' section in values.yaml might be structured, defining different validation methods. ```yaml validators: - name: "dockerhub-nv2" type: "notaryv2" ... - name: "harbor-nv1" type: "notaryv1" host: "notary.harbor.io" root_keys: - name: "default" key: "..." - name: "cosign" type: "cosign" ... ``` -------------------------------- ### Run an Unsigned Test Image Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/sigstore_cosign.md Kubectl command to run an unsigned test image for comparison. ```bash kubectl run unsigned --image=docker.io/securesystemsengineering/testimage:co-unsigned ``` -------------------------------- ### Complete Semantic Commit Message Example Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/CONTRIBUTING.md An example of a complete commit message following semantic conventions, including fix type, description, body, and footer referencing an issue. ```bash git commit -m "fix: extend registry validation regex to custom ports" -m "The current regex used for validation of the image name does not allow using non-default ports for the image repository name. The regex is extended to optionally provide a port number." -m "Fix #3" ``` -------------------------------- ### Run a Signed Test Image Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/sigstore_cosign.md Kubectl command to run a signed test image for verification. ```bash kubectl run signed --image=docker.io/securesystemsengineering/testimage:co-signed ``` -------------------------------- ### Run Linters Locally Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/CONTRIBUTING.md Commands to run Go linters (gosec and golangci-lint) locally using Docker. ```bash docker run --rm -v $(pwd):/app -w /app/cmd/connaisseur securego/gosec gosec :... docker run --rm -v $(pwd):/app -w /app golangci/golangci-lint golangci-lint run -v --timeout=10m --skip-dirs="test" ``` -------------------------------- ### Makefile Docker Build Command Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Command to build the Connaisseur container image using the Makefile. ```bash make docker ``` -------------------------------- ### Inspect Documentation Changes Locally Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/CONTRIBUTING.md Command to serve documentation locally using Docker and mkdocs-material. ```bash docker run --rm -it -p 8000:8000 -v ${PWD}:/docs squidfunk/mkdocs-material ``` -------------------------------- ### Arm the webhook Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/basics.md Applies the admission webhook resources for Connaisseur. ```bash kubectl apply -f deploy.yaml -l "app.kubernetes.io/component=connaisseur-webhook" -n connaisseur ``` -------------------------------- ### charts/connaisseur/values.yaml Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/sigstore_cosign.md Configuration example for cosign validator with host-specific trust material for private Sigstore infrastructures. ```yaml name: default type: cosign host: rekorPubkey: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- ctLogPubkey: | -----BEGIN PUBLIC KEY----- ... -----END PUBLIC KEY----- fulcioCert: | -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- ... ``` -------------------------------- ### Configuring a threshold for required signatures Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/sigstore_cosign.md YAML configuration to set a minimum number of required valid signatures for image admittance. ```yaml - pattern: "*/*:" validator: multicosigner with: trustRoot: "*" threshold: 2 ``` -------------------------------- ### Using wildcard trust root with default threshold Source: https://github.com/sse-secure-systems/connaisseur/blob/master/docs/validators/sigstore_cosign.md YAML configuration to use all defined trust roots for verification when the trustRoot is set to "*". ```yaml - pattern: "*/*:" validator: multicosigner with: trustRoot: "*" ```