https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/tags/policy-controller/Recent content in policy-controller onHugo -- gohugo.ioen-USWed, 12 Apr 2023 15:22:20 +0100https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/how-to-install-policy-controller/Tue, 21 Feb 2023 13:11:29 +0829https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/how-to-install-policy-controller/The Sigstore Policy Controller is a Kubernetes admission controller that can verify image signatures and policies. You can define policies using the CUE or Rego policy languages. This guide will demonstrate how to install the Policy Controller in your Kubernetes cluster and enable policy enforcement. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access. You can set up a local cluster using kind or use an existing cluster.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-non-default-capabilities-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-non-default-capabilities-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers with extra capabilities. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running with one or many Linux capabilities from defined set of safe capabilities flags. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-privileged-containers-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-privileged-containers-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers with elevated privileges. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running without the privileged: true setting. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access. You can set up a local cluster using kind or use an existing cluster.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-run-as-root-user-with-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-run-as-root-user-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to prevent running containers as the root user in a Kubernetes cluster. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec, and only allow admission into a cluster if the pod is running as a non-root user. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/maximum-image-age-policy-controller/Thu, 02 Mar 2023 13:11:29 +0829https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/maximum-image-age-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a ClusterImagePolicy that checks the maximum age of a container image verifying that isn’t older than 30 days. For that, we’ll attempt to create two distroless images one older than 30 days and a fresh one. Prerequisites To follow along with this guide, you will need the following:https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-unsafe-sysctls-with-policy-controller/Wed, 01 Mar 2023 13:11:29 +0829https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/disallowing-unsafe-sysctls-with-policy-controller/This guide demonstrates how to use the Sigstore Policy Controller to only allow pods that use sysctls to modify kernel behaviour to run with the safe set of parameters. You will create a ClusterImagePolicy that uses the CUE language to examine a pod spec that uses sysctls, and only allow admission into a cluster if the pod is running a safe set parameters. Prerequisites To follow along with this guide, you will need the following:https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/using-policy-controller-to-verify-signed-chainguard-images/Wed, 22 Feb 2023 13:11:29 +0829https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/using-policy-controller-to-verify-signed-chainguard-images/This guide demonstrates how to use the Sigstore Policy Controller to verify image signatures before admitting an image into a Kubernetes cluster. In this guide, you will create a ClusterImagePolicy that checks for a keyless Cosign image signature, and then test the admission controller by running a signed nginx image. Prerequisites To follow along with this guide, you will need the following: A Kubernetes cluster with administrative access. You can set up a local cluster using kind or use an existing cluster.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/critical-cve-policy/Wed, 12 Apr 2023 15:22:20 +0100https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/critical-cve-policy/While Common Vulnerabilities and Exposures (CVEs) are undesirable at any time, the software security standards of certain industries strictly regulate the allowance of high or critical CVEs. For example, in the payment industry, the PCI Security Standards Council requires that all vulnerabilities with a Common Vulnerability Scoring System (CVSS) score higher than 4 are addressed. For engineers and security professionals working in these contexts, it’s essential to know if container images have high or critical CVEs before deploying them.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/Thu, 12 Jan 2023 15:56:52 -0700https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-rego-policies/The Sigstore Policy Controller supports the Rego Policy Language, which is a declarative policy language that is used to evaluate structured input data such as Kubernetes manifests and JSON documents. This feature enables users to apply policies that can evaluate Kubernetes admission requests and object metadata to make comprehensive decisions about the workloads that are admitted to their clusters. Rego support also enables users to enhance existing cloud-native policies by adding additional software supply chain security checks.https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-policy-examples/Fri, 15 Jul 2022 15:22:20 +0100https://deploy-preview-3175--ornate-narwhal-088216.netlify.app/open-source/sigstore/policy-controller/policies/chainguard-enforce-policy-examples/The Sigstore Policy Controller allows users to create their own security policies that they can be enforced on Kubernetes clusters. Here are a few example policies to help you get started. You may also review the Sigstore Policy Controller documentation. In particular, we encourage you to review the Policy Controller documentation relating to the Admission of images to learn how to admit images through the cluster image policy. Policy enforcing signed containers apiVersion: policy.