feat: added policies chart to verify image signature/provenance (#282)

* feat: added policies chart to verify image signature/provenance

* install kyverno first

.github/workflows/ci.yaml

@@ -91,5 +91,12 @@ jobs:
             --set=nodeExporter.enabled=false \
             --set=grafana.enabled=false
 
+      - name: Install Kyverno
+        if: ${{ steps.list-changed.outputs.changed == 'true' }}
+        run: |
+          helm install kyverno oci://ghcr.io/kyverno/charts/kyverno \
+            --namespace=kyverno \
+            --create-namespace
+
       - name: Run chart-testing (install)
         run: ct install --config .github/ct/install.yaml

.mega-linter.yml

@@ -15,6 +15,8 @@ DISABLE_LINTERS:
   - SPELL_CSPELL
   - REPOSITORY_KICS
   - SPELL_LYCHEE
+  - YAML_V8R
+  - JSON_V8R
 
 SHOW_ELAPSED_TIME: true
 FILEIO_REPORTER: false

charts/policies/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

charts/policies/Chart.yaml

@@ -0,0 +1,26 @@
+apiVersion: v2
+name: policies
+description: A Helm chart for deploying Kyverno policies verifying images of the github.com/miracum organization.
+type: application
+home: https://github.com/miracum/charts
+keywords:
+  - kyverno
+sources:
+  - https://github.com/miracum/charts
+maintainers:
+  - name: miracum
+deprecated: false
+kubeVersion: ">= 1.25.0"
+version: 0.1.0
+annotations:
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/containsSecurityUpdates: "false"
+  artifacthub.io/operator: "false"
+  artifacthub.io/prerelease: "false"
+  artifacthub.io/recommendations: |
+    - url: https://artifacthub.io/packages/helm/kyverno/kyverno
+  # When using the list of objects option the valid supported kinds are
+  # added, changed, deprecated, removed, fixed and security.
+  artifacthub.io/changes: |
+    - kind: added
+      description: initial release

charts/policies/README.md

@@ -0,0 +1,31 @@
+# policies
+
+![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+
+A Helm chart for deploying Kyverno policies verifying images of the github.com/miracum organization.
+
+**Homepage:** <https://github.com/miracum/charts>
+
+## Installation
+
+```sh
+$ helm upgrade --install policies oci://ghcr.io/miracum/charts/policies --create-namespace -n policies
+```
+
+## Values
+
+| Key                     | Type   | Default                  | Description |
+| ----------------------- | ------ | ------------------------ | ----------- |
+| failurePolicy           | string | `"Fail"`                 |             |
+| fullnameOverride        | string | `""`                     |             |
+| images[0]               | string | `"fhir-gateway"`         |             |
+| images[1]               | string | `"fhir-pseudonymizer"`   |             |
+| images[2]               | string | `"loinc-conversion"`     |             |
+| images[3]               | string | `"vfps"`                 |             |
+| images[4]               | string | `"obds-to-fhir"`         |             |
+| images[5]               | string | `"ohdsi-cohort-sync"`    |             |
+| images[6]               | string | `"ahd2fhir"`             |             |
+| images[7]               | string | `"kafka-fhir-to-server"` |             |
+| nameOverride            | string | `""`                     |             |
+| validationFailureAction | string | `"enforce"`              |             |
+| webhookTimeoutSeconds   | int    | `30`                     |             |

charts/policies/README.md.gotmpl

@@ -0,0 +1,17 @@
+{{ template "chart.header" . }}
+
+{{ template "chart.typeBadge" . }}
+
+{{ template "chart.deprecationWarning" . }}
+
+{{ template "chart.description" . }}
+
+{{ template "chart.homepageLine" . }}
+
+## Installation
+
+```sh
+$ helm upgrade --install policies oci://ghcr.io/miracum/charts/policies --create-namespace -n policies
+```
+
+{{ template "chart.valuesSection" . }}

charts/policies/templates/NOTES.txt

@@ -0,0 +1 @@
+Done.

charts/policies/templates/_helpers.tpl

@@ -0,0 +1,51 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "policies.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "policies.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "policies.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "policies.labels" -}}
+helm.sh/chart: {{ include "policies.chart" . }}
+{{ include "policies.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "policies.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "policies.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}

charts/policies/templates/cluster-policy.yaml

@@ -0,0 +1,76 @@
+apiVersion: kyverno.io/v1
+kind: ClusterPolicy
+metadata:
+  name: {{ include "policies.fullname" . }}
+  labels:
+    {{- include "policies.labels" . | nindent 4 }}
+  annotations:
+    policies.kyverno.io/title: Verify SLSA provenance and image cosign keyless signature
+    policies.kyverno.io/category: Software Supply Chain Security
+    policies.kyverno.io/severity: medium
+    policies.kyverno.io/subject: Pod
+    policies.kyverno.io/minversion: 1.8.3
+    kyverno.io/kyverno-version: 1.11.0
+    kyverno.io/kubernetes-version: "1.25"
+    policies.kyverno.io/description: >-
+      Provenance is used to identify how an artifact was produced
+      and from where it originated. SLSA provenance is an industry-standard
+      method of representing that provenance. This policy verifies that an
+      image has SLSA provenance and was signed by the expected subject and issuer
+      when produced through GitHub Actions.
+spec:
+  validationFailureAction: {{ .Values.validationFailureAction }}
+  webhookTimeoutSeconds: {{ .Values.webhookTimeoutSeconds }}
+  failurePolicy: {{ .Values.failurePolicy }}
+  rules:
+    {{- range $i, $imageName := .Values.images }}
+    - name: check-{{ $imageName }}
+      match:
+        any:
+          - resources:
+              kinds:
+                - Pod
+      verifyImages:
+        # imageReferences sets which images the policy will apply to.
+        # Wildcard values are supported.
+        - imageReferences:
+            - "ghcr.io/miracum/{{ $imageName }}:v*"
+          attestors:
+            # This section declares which attestors are accepted. The subject
+            # below corresponds to the OIDC identity of the container workflow.
+            # The issuer corresponds to the GitHub OIDC server that issues the
+            # identity.
+            - entries:
+                - keyless:
+                    subject: "https://github.com/miracum/.github/.github/workflows/standard-build.yaml@*"
+                    issuer: "https://token.actions.githubusercontent.com"
+                    rekor:
+                      url: https://rekor.sigstore.dev
+                    additionalExtensions:
+                      githubWorkflowTrigger: release
+                      githubWorkflowName: ci
+                      githubWorkflowRepository: miracum/{{ $imageName }}
+          # This section declares some policy conditions acting on the provenance itself.
+          attestations:
+            - predicateType: https://slsa.dev/provenance/v0.2
+              conditions:
+                - all:
+                    # This condition verifies that the image was generated from
+                    # the source repository we expect.
+                    - key: {{` "{{ invocation.configSource.uri }}" `}}
+                      operator: Equals
+                      value: "git+https://github.com/miracum/{{ $imageName }}@refs/tags/v*"
+
+                    # This condition verifies the entrypoint of the workflow.
+                    - key: {{` "{{ invocation.configSource.entryPoint }}" `}}
+                      operator: Equals
+                      value: ".github/workflows/ci.yaml"
+
+                    # This condition verifies that the builder is the builder we
+                    # expect and trust. The following condition can be used
+                    # unmodified. It verifies that the builder is the container
+                    # workflow.
+                    - key: {{` "{{ regex_match('^https://github.com/slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@refs/tags/v[0-9].[0-9].[0-9]$', '{{ builder.id}}') }}" `}}
+                      operator: Equals
+                      value: true
+    {{- end }}

charts/policies/values.yaml

@@ -0,0 +1,19 @@
+# Default values for policies.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+nameOverride: ""
+fullnameOverride: ""
+
+validationFailureAction: enforce
+webhookTimeoutSeconds: 30
+failurePolicy: Fail
+
+images:
+  - fhir-gateway
+  - fhir-pseudonymizer
+  - loinc-conversion
+  - vfps
+  - obds-to-fhir
+  - ohdsi-cohort-sync
+  - ahd2fhir
+  - kafka-fhir-to-server