Cosign keyless Kubernetes admission webhook

Kubernetes admission webhook that uses cosign verify to check the subject and issuer of the image matches what you expect

Installation

# if you don't already have cert-manager
kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml

kubectl apply -k https://github.com/appvia/cosign-keyless-admission-webhook

Usage

In the pod spec you set an annotation(s) of subject.cosign.sigstore.dev/CONTAINER_NAME^* to the subject of the certificate and also set the issuer.cosign.sigstore.dev/CONTAINER_NAME^* to the Issuer.

*CONTAINER_NAME is the name of the container from your pod specification.

Full example

apiVersion: v1
kind: Pod
metadata:
  annotations:
    subject.cosign.sigstore.dev/demo: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
    issuer.cosign.sigstore.dev/demo: https://token.actions.githubusercontent.com
    subject.cosign.sigstore.dev/demoagain: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main
    issuer.cosign.sigstore.dev/demoagain: https://token.actions.githubusercontent.com
  name: cosign-keyless-demo
spec:
  containers:
    - image: ghcr.io/chrisns/cosign-keyless-demo:latest
      name: demo
    - image: ghcr.io/chrisns/cosign-keyless-demo:latest
      name: demoagain

🚨🚨🚨 WHY THIS MAY NOT WORK FOR YOU 🚨🚨🚨

• Won't work, at least out the box with private registries or ones that just require authentication, you'll have to wire the credentials up to deployment's secrets