How to secure Kubernetes deployment with signature verification - Part 2

In the last article, we configured image verification to all namespaces: How to secure Kubernetes deployment with signature verification - Part 1. We can also verify images specific namespaces with Connaisseur. Namespaced validation allows restricting validation to specific namespaces. Connaisseur will only verify trust of images deployed to the configured namespaces. This can greatly support initial rollout by stepwise extending the validated namespaces or excluding specific namespaces for which signatures are unfeasible.

Namespaced validation offers two modes:

• ignore: ignore all namespaces with label securesystemsengineering.connaisseur/webhook: ignore
• validate: only validate namespaces with label securesystemsengineering.connaisseur/webhook: validate

The desired namespaces must be labelled accordingly, e.g. via:

kubectl label namespaces <namespace> securesystemsengineering.connaisseur/webhook=validate        

Configure namespaced validation via the namespacedValidation in helm/values.yaml:

namespacedValidation
	enabled: true
	mode: validate:        

For upgrade values.yml:

helm upgrade connaisseur helm -f helm/values.yaml -n connaisseur        

Example

In?in this example I add label for demo namespace:

kubectl label namespaces demo securesystemsengineering.connaisseur/webhook=validate        

When I deploy pod in demo namespace, pod successfully created:

kubectl run signed-image --image=muradsamadov/contenttrust:signed -n demo
pod/signed-image created        

When I deploy pod in test namespace, pod don't created. Because I don't label in test namespace:

kubectl run signed-image --image=muradsamadov/contenttrust:signed -n test
Error from server: admission webhook "connaisseur-svc.connaisseur.svc" denied the request: No trust data for image "docker.io/muradsamadov/contenttrust:unsigned".