OpenShift 4 - 为集群配置镜像签名功能，只能运行被签名的本地镜像

《OpenShift 4.x HOL教程汇总》说明：本文已经在OpenShift 4.8环境中验证文章目录配置签名环境安装镜像签名的Operator为集群指定签名用的 sigstore测试验证使用未签名的镜像运行为签名镜像对本地镜像签名参考本文先安装镜像签名 Operator，然后将 docker.io 的镜像导入到 OpenShift 本地，在强制 docker.io 的镜像必须签名。最后使用对

dawnsky.liu

3417人浏览 · 2021-11-13 14:19:52

dawnsky.liu · 2021-11-13 14:19:52 发布

《OpenShift 4.x HOL教程汇总》
说明：本文已经在OpenShift 4.8环境中验证

本文先安装镜像签名 Operator，然后将 docker.io 的镜像导入到 OpenShift 本地，在强制 docker.io 的镜像必须签名。最后使用对来 docker.io 的本地进行签名并运行。

配置签名环境

安装镜像签名的Operator

执行命令下载配置文件

$ git clone https://github.com/liuxiaoyu-git/image-scanning-signing-service.git
$ cd image-scanning-signing-service

为一个worker节点打标签，让它作为运行签名的节点

$ WORKER="$(oc get nodes -l node-role.kubernetes.io/worker --no-headers -o custom-columns=":metadata.name" | head -1)"
$ echo ${WORKER}
$ oc label node ${WORKER} type=builder

查看所有worker节点状态，确认都变成“UPDATED”状态。

$ oc get machineconfigpool -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
master   rendered-master-268f75295029d9dbe6755043c42427b3   True      False      False      3              3                   3                     0                      9d
worker   rendered-worker-8dac6881264caab39329d54ab649abbd   True      False      False      2              2                   2                     0                      9d

创建项目，然后部署 Operator 、签名store及其相关资源。

oc new-project image-management
oc apply -f deploy/crds/imagesigningrequests.cop.redhat.com_imagesigningrequests_crd.yaml
oc apply -f deploy/service_account.yaml
oc apply -f deploy/role.yaml
oc apply -f deploy/role_binding.yaml
oc apply -f deploy/scc.yaml
oc apply -f deploy/secret.yaml
oc apply -f deploy/lab_extras/operator.yaml
oc apply -f deploy/lab_extras/sigstore.yaml

查看部署的pod已经运行。

$ oc get pod -n image-management
NAME                              READY   STATUS      RESTARTS   AGE
image-security-6b9bb96765-4hlp5   1/1     Running     0          21s
sigstore-1-deploy                 0/1     Completed   0          18s
sigstore-1-wh7sj                  1/1     Running     0          16s

为集群指定签名用的 sigstore

获取sigstore的访问route的地址。

$ ROUTE=http://$(oc get route sigstore -o jsonpath='{..spec.host}' -n image-management)

用 $ROUTE 的内容替换 deploy/lab_extras/registry-conf.yaml 文件中的 {{replace_with_sigstore_route}} 部分。
对 deploy/lab_extras/registry-conf.yaml 文件内容进行 base64 编码。

$ base64 deploy/lab_extras/registry-conf.yaml -w 0
ZG9ja2VyOgogICAgIGRvY2tlci5pbzoKICAgICAgICAgc2lnc3RvcmU6IGh0dHA6Ly9zaWdzdG9yZS1pbWFnZS1tYW5hZ2VtZW50LmFwcHMuY2x1c3Rlci04ZDM1LjhkMzUuc2FuZGJveDE0MjAub3BlbnRsYy5jb20gCg==

用上一步返回的字符串结果替换 deploy/lab_extras/trust-machineconifg.yaml 文件中的 {{token}} 部分。
执行命令更新 worker节点，然后查看 worker 的 machineconfigpools 的状态，直到 READYMACHINECOUNT 状态都恢复成正常数量。

$ oc apply -f deploy/lab_extras/trust-machineconifg.yaml
$ oc get machineconfigpool worker -w
NAME     CONFIG                                             UPDATED   UPDATING   DEGRADED   MACHINECOUNT   READYMACHINECOUNT   UPDATEDMACHINECOUNT   DEGRADEDMACHINECOUNT   AGE
worker   rendered-worker-8dac6881264caab39329d54ab649abbd   False     True       False      2              0                   0                     0                      9d
worker   rendered-worker-8dac6881264caab39329d54ab649abbd   False     True       False      2              1                   1                     0                      9d
worker   rendered-worker-8dac6881264caab39329d54ab649abbd   False     True       False      2              1                   1                     0                      9d
worker   rendered-worker-d977c1330ccf9a645aca738a56abe8af   True      False      False      2              2                   2                     0                      9d

测试验证

使用未签名的镜像

进入一个 worker 节点。

$ WORKER="$(oc get nodes -l node-role.kubernetes.io/worker --no-headers -o custom-columns=":metadata.name" | head -1)"
$ oc debug node/${WORKER}
Starting pod/ip-10-0-156-171us-east-2computeinternal-debug ...
To use host binaries, run `chroot /host`
Pod IP: 10.0.156.171
If you don't see a command prompt, try pressing enter.
sh-4.4# chroot /host

查看 /etc/containers/policy.json 和 /etc/containers/registries.d/docker.io.yaml 文件内容，其中包含“docker.io”和“sigstore”相关内容。

sh-4.4# cat /etc/containers/policy.json
{
    "default": [
        {
            "type": "insecureAcceptAnything"
        }
    ],
    "transports": {
        "docker": {
    "docker.io": [
    {
        "type": "signedBy",
        "keyType": "GPGKeys",
        "keyPath": "/root/pubkey.gpg"
    }
]
},
        "docker-daemon": {
    "": [
    {
        "type": "insecureAcceptAnything"
    }
]
}
    }
} 
 
sh-4.4# cat /etc/containers/registries.d/docker.io.yaml
docker:
     docker.io:
         sigstore: http://sigstore-image-management.apps.cluster-8d35.8d35.sandbox1420.opentlc.com

从 “docker.io” 拉镜像，确认提示“** A signature was required, but no signature exists**”。

sh-4.4# podman pull docker.io/library/mysql
Trying to pull docker.io/library/mysql:latest...
Error: Source image rejected: A signature was required, but no signature exists

退出 worker

sh-4.4# exit

运行为签名镜像

创建新项目，然后将来自 “docker.io” 的镜像测试镜像导入到本地，最后基于它创建新应用。

$ oc new-project nginx-test
$ oc import-image nginx --from="docker.io/nginxinc/nginx-unprivileged" --confirm -n nginx-test
$ oc new-app nginx -n nginx-test

查看应用 pod 状态，确认是“ImagePullBackOff” 状态

$ oc get pod -n nginx-test
NAME                    READY   STATUS             RESTARTS   AGE
nginx-9dd546c49-wp682   0/1     ImagePullBackOff   0          25s

查看上一步的 pod 的状态，确认在 Events 中提示“image rejected: A signature was required, but no signature exists”。

$ oc describe pod nginx-9dd546c49-wp682 -n nginx-test
。。。。
Events:
  Type     Reason          Age                 From               Message
  ----     ------          ----                ----               -------
  Normal   Scheduled       109s                default-scheduler  Successfully assigned nginx-test/nginx-9dd546c49-wp682 to ip-10-0-170-27.us-east-2.compute.internal
  Normal   AddedInterface  108s                multus             Add eth0 [10.131.0.18/23] from openshift-sdn
  Warning  Failed          30s (x6 over 107s)  kubelet            Error: ImagePullBackOff
  Normal   Pulling         15s (x4 over 108s)  kubelet            Pulling image "docker.io/nginxinc/nginx-unprivileged@sha256:ed41d4160dd6bf386f5e611a44f6d5467c83e26bb131b459a34459fc5a42e052"
  Warning  Failed          15s (x4 over 108s)  kubelet            Failed to pull image "docker.io/nginxinc/nginx-unprivileged@sha256:ed41d4160dd6bf386f5e611a44f6d5467c83e26bb131b459a34459fc5a42e052": rpc error: code = Unknown desc = Source image rejected: A signature was required, but no signature exists
  Warning  Failed          15s (x4 over 108s)  kubelet            Error: ErrImagePull
  Normal   BackOff         1s (x7 over 107s)   kubelet            Back-off pulling image "docker.io/nginxinc/nginx-unprivileged@sha256:ed41d4160dd6bf386f5e611a44f6d5467c83e26bb131b459a34459fc5a42e052"

对本地镜像签名

查看 deploy/lab_extras/signing-request.yaml 文件内容，它发出对名为 “nginx:latest” 的 ImageStreamTag 的镜像进行签名的请求。

$ more deploy/lab_extras/signing-request.yaml
apiVersion: imagesigningrequests.cop.redhat.com/v1alpha1
kind: ImageSigningRequest
metadata:
  name: nginx-1
spec:
  containerImage:
    kind: ImageStreamTag
    name: nginx:latest
$ oc apply -f deploy/lab_extras/signing-request.yaml -n nginx-test

查看 image-management 的 pod，然后查看名称随机生成的 pod 日志，

$ oc get pod -n image-management
NAME                                   READY   STATUS      RESTARTS   AGE
c3b5f7ff-d047-4f62-a0eb-c57a469cbfab   0/1     Completed   0          57s
image-security-6b9bb96765-hvnvr        1/1     Running     0          9m26s
sigstore-1-m2cq7                       1/1     Running     0          13m
$ oc logs -f c3b5f7ff-d047-4f62-a0eb-c57a469cbfab -n image-management
time="2021-11-12T14:28:15Z" level=error msg="unable to write system event: \"write unixgram @00016->/run/systemd/journal/socket: sendmsg: no such file or directory\""
Trying to pull docker.io/nginxinc/nginx-unprivileged@sha256:ed41d4160dd6bf386f5e611a44f6d5467c83e26bb131b459a34459fc5a42e052...
Getting image source signatures
Copying blob sha256:54247d3512a9e6bc95687e0b652e10044079c9bbf7af9d69fa1d428e41bff84f
Copying blob sha256:0f7e43c994f13c51289d21fc1a72d13fed47631a99ce7b524dfe8d1a45958477
Copying blob sha256:052722e881c1465eb58c9ac2bafc164a254188c9f06bd0933d99757ec992fc00
Copying blob sha256:a330b6cecb98cd2425fd25fce36669073f593b3176b4ee14731e48c05d678cdd
Copying blob sha256:96bc90d52cf2f2f47520455d64faad604a264bcaa579617419087d59b9f84461
Copying blob sha256:3aeee11385fd3301401d6e72c873fcbb9e7dc1a486e793d76d62b0034a27ac3a
Copying blob sha256:5885822443274cc7a636331e79ae9909810cfbe9344c1b93abfc8a78b9e35a3a
Copying config sha256:9f271e225e01a0a3868f080ae7cfaf36a957a79f8141c96c5604352e9629729e
Writing manifest to image destination
Storing signatures
9f271e225e01a0a3868f080ae7cfaf36a957a79f8141c96c5604352e9629729e
Untagged: docker.io/nginxinc/nginx-unprivileged@sha256:ed41d4160dd6bf386f5e611a44f6d5467c83e26bb131b459a34459fc5a42e052
Deleted: 9f271e225e01a0a3868f080ae7cfaf36a957a79f8141c96c5604352e9629729e

查看签名请求对象，其中在 “status” 中有 “message: Image Signed” 。

$ oc get imagesigningrequests nginx-1 -o yaml -n nginx-test
。。。
status:
  conditions:
 - lastTransitionTime: 2021-11-12 14:27:51.956766002 +0000 UTC m=+487.950431898
    message: Signing Pod Launched 'image-management/c3b5f7ff-d047-4f62-a0eb-c57a469cbfab'
    status: "True"
    type: Initialization
 - lastTransitionTime: 2021-11-12 14:28:41.161360642 +0000 UTC m=+537.155026498
    message: Image Signed
    status: "True"
    type: Finished
  endTime: 2021-11-12 14:28:41.161360642 +0000 UTC m=+537.155026498
  phase: Completed
  signedImage: sha256:ed41d4160dd6bf386f5e611a44f6d5467c83e26bb131b459a34459fc5a42e052
  startTime: 2021-11-12 14:27:51.956766002 +0000 UTC m=+487.950431898
  unsignedImage: sha256:ed41d4160dd6bf386f5e611a44f6d5467c83e26bb131b459a34459fc5a42e052

再次查看 nginx-test 项目中的 pod，确认现在是 Running 状态了。如果没有自动部署，可以重新部署一次。

$ oc get pod -n nginx-test
NAME                    READY   STATUS    RESTARTS   AGE
nginx-9dd546c49-wp682   1/1     Running   0          9m28s
$ oc rollout restart deployment/nginx
deployment.apps/nginx restarted

可以用浏览器访问“${ROUTE}/nginxinc”，其中包含签名用的“sigstore”文件。

参考

https://github.com/RedHatDemos/SecurityDemos/blob/master/2021Labs/OpenShiftSecurity/documentation/lab5.adoc
https://github.com/redhat-cop/image-scanning-signing-service.git
https://access.redhat.com/verify-images-ocp4

向您推荐>>Eolink开发者社区

权威｜前沿｜技术｜干货｜国内首个API全生命周期开发者社区

更多推荐

深入理解 Mocha 测试框架：从零实现一个 Mocha

前言什么是自动化测试自动化测试在很多团队中都是Devops环节中很难执行起来的一个环节，主要原因在于测试代码的编写工作很难抽象，99%的场景都需要和业务强绑定，而且写测试代码的编写工作量往往比编写实际业务代码的工作量更多。在一些很多业务场景中投入产出比很低，适合写自动化测试的应该是那些中长期业务以及一些诸如组件一样的基础库。自动化测试是个比较大的概念，其中分类也比较多，比如单元测试，端对端测试，集

云原生

ELK实现containerd的容器日志采集展示【基于logging的全栈监测】

企业级ELK Stack构建介绍

云原生

(20200916 Solved)docker-compose up创建容器自动退出

问题描述如题，创建容器后自动退出了。并且docker start container无效解决方案原因是缺失了控制终端的配置，需要在docker-compose.yml中增加tty:true ，有时候这样也不行，需要再增加一个command:/bin/bash，命令不一定是这个，需要是一个不会退出的命令，然后用-d后台启动容器。Referencesdocker-compose启动容器后自动退出...