Cosigned on EKS
What is cosigned?
Okay, why do I want that?
If you can be sure that only code that you have authorized to run in your cluster, you make it that much harder to 1) run containers that have not been properly built and validated by your CI systems. And 2) prevent unauthorized containers from being scheduled.
Being new to EKS, first step for us was to create an ec2 account. After several reCAPTCHAs and adding a credit card, we had a brand new AWS account.
And then the authenticator helper for AWS:
Note: The recommended IAM polices for eksctl are here.
Then create a cluster using the tool:
NOTE: We are using us-west-2 but you can replace this with whatever you want.
After about 20 minutes, this returned:
Sweet. We have a 3 node ARM cluster.
Install from source.
NOTE: We are using us-west-2 but you can replace this to match your cluster's region.
Clone the cosign project locally and let's deploy:
We just created a multi-arch container using ko, and deployed the cosigned webhook to a new namespace called cosign-system. We can look at the running pods:
Let's create a quick app to have something to work with:
Should result in:
Now to sign the image:
And then use the image:
The image was accepted and the job was scheduled, and after a moment, it completed:
We will be posting more content on this topic, so stay tuned!