Introduction

Lakom is kubernetes admission controller which purpose is to implement cosign image signature verification with public cosign key. It also takes care to resolve image tags to sha256 digests. A built-in cache mechanism can be enabled to reduce the load toward the OCI registry.

Flags

Lakom admission controller is configurable via command line flags. The trusted cosign public keys and the associated algorithms associated with them are set viq configuration file provided with the flag --lakom-config-path.

Flag Name	Description	Default Value
`--bind-address`	Address to bind to	"0.0.0.0"
`--cache-refresh-interval`	Refresh interval for the cached objects	30s
`--cache-ttl`	TTL for the cached objects. Set to 0, if cache has to be disabled	10m0s
`--contention-profiling`	Enable lock contention profiling, if profiling is enabled	false
`--health-bind-address`	Bind address for the health server	":8081"
`-h`, `--help`	help for lakom
`--insecure-allow-insecure-registries`	If set, communication via HTTP with registries will be allowed.	false
`--insecure-allow-untrusted-images`	If set, the webhook will just return warning for the images without trusted signatures.	false
`--kubeconfig`	Paths to a kubeconfig. Only required if out-of-cluster.
`--lakom-config-path`	Path to file with lakom configuration containing cosign public keys used to verify the image signatures
`--metrics-bind-address`	Bind address for the metrics server	":8080"
`--port`	Webhook server port	9443
`--profiling`	Enable profiling via web interface host:port/debug/pprof/	false
`--tls-cert-dir`	Directory with server TLS certificate and key (must contain a tls.crt and tls.key file
`--use-only-image-pull-secrets`	If set, only the credentials from the image pull secrets of the pod are used to access the OCI registry. Otherwise, the node identity and docker config are also used.	false
`--version`	prints version information and quits; --version=vX.Y.Z... sets the reported version

Lakom Cosign Public Keys Configuration File

Lakom cosign public keys configuration file should be YAML or JSON formatted. It can set multiple trusted keys, as each key must be given a name. The supported types of public keys are RSA, ECDSA and Ed25519. The RSA keys can be additionally configured with a signature verification algorithm specifying the scheme and hash function used during signature verification. As of now ECDSA and Ed25519 keys cannot be configured with specific algorithm.

yaml

publicKeys:
- name: example-public-key
  algorithm: RSASSA-PSS-SHA256
  key: |-
    -----BEGIN PUBLIC KEY-----
    MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPeQXbIWMMXYV+9+j9b4jXTflnpfwn4E
    GMrmqYVhm0sclXb2FPP5aV/NFH6SZdHDZcT8LCNsNgxzxV4N+UE/JIsCAwEAAQ==
    -----END PUBLIC KEY-----

Here:

name is logical human friendly name of the key.
algorithm is the algorithm that has to be used to verify the signature, see Supported RSA Signature Verification Algorithms for the list of supported algorithms.
key is the cryptographic public key that will be used for image signature validation.

Supported RSA Signature Verification Algorithms

RSASSA-PKCS1-v1_5-SHA256: uses RSASSA-PKCS1-v1_5 scheme with SHA256 hash func
RSASSA-PKCS1-v1_5-SHA384: uses RSASSA-PKCS1-v1_5 scheme with SHA384 hash func
RSASSA-PKCS1-v1_5-SHA512: uses RSASSA-PKCS1-v1_5 scheme with SHA512 hash func
RSASSA-PSS-SHA256: uses RSASSA-PSS scheme with SHA256 hash func
RSASSA-PSS-SHA384: uses RSASSA-PSS scheme with SHA384 hash func
RSASSA-PSS-SHA512: uses RSASSA-PSS scheme with SHA512 hash func

Supported Resources for Verification

By default, Lakom validates only Pod resources in the clusters that it covers. However, it also has the capabilities to validate the following Gardener specific resources:

core.gardener.cloud/v1.ControllerDeployments
seedmanagement.gardener.cloud/v1alpha1.Gardenlets
operator.gardener.cloud/v1alpha1.Extensions

IMPORTANT

When deploying Lakom via the helm chart in /charts/lakom, the admissionConfig.rules key can be fully customized to include any of the listed resources above. Make sure that they are registered with the same group & versions as the ones listed above. Any difference will cause Lakom to skip validation and approve the request, making it a security risk.

Resources

Provider Alibaba Cloud

Tutorials

Kubernetes cluster on alicloud with gardener

Provider AWS

Tutorials

Provider Azure

Tutorials

Kubernetes cluster on azure with gardener

Provider Equinix Metal

Provider GCP

Tutorials

Kubernetes cluster on gcp with gardener

proposals

Provider OpenStack

CoreOS/FlatCar OS

SUSE CHost OS

Ubuntu OS

Calico CNI

Cilium CNI

Kubernetes Auditing

Api Reference

Registry Cache

Registry cache

registry-mirror

Certificate Services

Tutorials

DNS Services

Tutorials

Lakom Service

Egress Filtering

Networking Problem Detector

OpenID Connect Services

Node Audit Logging

Concepts

Deployment

Concepts

Deployment

Getting started locally

Proposals

Documents

Proposals

To-Do

Style Guide

Introduction ​

Flags ​

Lakom Cosign Public Keys Configuration File ​

Supported RSA Signature Verification Algorithms ​

Supported Resources for Verification ​

Introduction

Flags

Lakom Cosign Public Keys Configuration File

Supported RSA Signature Verification Algorithms

Supported Resources for Verification