StarlingX/Containers/Applications/app-portieris
Application: portieris-armada-app
Source
Building
- From the Debian Build environment:
build-pkgs -p portieris-helm,python-k8sapp-portieris,stx-portieris-helm
Testing
Portieris works with signed images. One way to work with image signing is to deploy Harbor with Notary:
https://goharbor.io/docs/2.7.0/install-config/run-installer-script/#installation-with-notary
https://goharbor.io/docs/2.7.0/working-with-projects/working-with-images/sign-images/
Portieris is an optional application in StarlingX, not applied by default. To apply the Portieris application, find the application tarball in
/usr/local/share/applications/helm
and upload using
system application-upload /usr/local/share/applications/helm/name-of-portieris-tarball
Create caCert.yaml with the CA certificate for your Notary
caCert: <base64 encoded CA certificate for your Notary>
Apply helm overrides to portieris-certs, setting up the CA cert for your Notary
system helm-override-update portieris portieris-certs portieris --values caCert.yaml
Apply the Portieris application
system application-apply portieris
Create an ImagePolicy (image-policy.yaml) to enforce that images from a certain registry must be signed by a certain notary:
apiVersion: portieris.cloud.ibm.com/v1 kind: ImagePolicy metadata: name: allow-custom spec: repositories: - name: "my.harbor.registry.com:12345/*" policy: trust: enabled: true trustServer: "https://my.harbor.notary.com:54321"
Apply your ImagePolicy
kubectl apply -f image-policy.yaml
Now Kubernetes deployments/pods should fail if they used an image without proper signing information with an error like the following:
trust: policy denied the request: Deny "my.harbor.registry.com:12345/test-unsigned/busybox:latest", failed to get content trust information: my.harbor.notary.com:54321 does not have trust data for my.harbor.registry.com:12345/test-unsigned/busybox