{"id":25770874,"url":"https://github.com/bobymcbobs/ucore-k8s","last_synced_at":"2025-08-02T08:08:33.579Z","repository":{"id":278072709,"uuid":"934427150","full_name":"BobyMCbobs/ucore-k8s","owner":"BobyMCbobs","description":"ucore with a strict repo-only Sigstore container images policy, kubeadm and kata-containers","archived":false,"fork":false,"pushed_at":"2025-05-05T10:25:25.000Z","size":432,"stargazers_count":0,"open_issues_count":3,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-06-08T16:06:04.581Z","etag":null,"topics":["bootc","kata-containers","kubernetes","rpm-ostree","sigstore","ublue-os","ucore"],"latest_commit_sha":null,"homepage":"https://github.com/BobyMCbobs/ucore-k8s","language":"Just","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BobyMCbobs.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-02-17T20:15:12.000Z","updated_at":"2025-02-22T20:24:13.000Z","dependencies_parsed_at":"2025-02-17T21:31:10.013Z","dependency_job_id":"a2eafc00-c6ef-44cd-90c9-4abf406462e9","html_url":"https://github.com/BobyMCbobs/ucore-k8s","commit_stats":null,"previous_names":["bobymcbobs/ucore-k8s"],"tags_count":0,"template":false,"template_full_name":"ublue-os/image-template","purl":"pkg:github/BobyMCbobs/ucore-k8s","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BobyMCbobs%2Fucore-k8s","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BobyMCbobs%2Fucore-k8s/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BobyMCbobs%2Fucore-k8s/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BobyMCbobs%2Fucore-k8s/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BobyMCbobs","download_url":"https://codeload.github.com/BobyMCbobs/ucore-k8s/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BobyMCbobs%2Fucore-k8s/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":268351475,"owners_count":24236415,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-02T02:00:12.353Z","response_time":74,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["bootc","kata-containers","kubernetes","rpm-ostree","sigstore","ublue-os","ucore"],"created_at":"2025-02-27T02:40:15.902Z","updated_at":"2025-08-02T08:08:33.497Z","avatar_url":"https://github.com/BobyMCbobs.png","language":"Just","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ucore-k8s\n\n# Purpose\n\nDeliver Kubernetes on Fedora CoreOS to test out container runtime classes and only run containers signed using Sigstore.\n\n[Talos](https://talos.dev) is suitable for production, not this!\n\nThis is an experiment. Do not use it!\n\n# Components\n\n- Kubernetes\n  - best way to run containers in production\n- CRI-O\n  - it supports container runtime classes\n  - it supports verifying container images and rejecting unsigned ones\n- Kata-Containers\n  - it provides a tighter level of isolation than runc\n\n# TODOs\n\n- [x] vendor and sign select container images to run\n  - `kubeadm config images list`\n  - cert-manager\n  - knative-operator\n  - knative-serving\n  - net-kourier\n  - cgr.dev/chainguard/nginx:latest\n- [ ] fix (needed?) kata osbuilder generate\n\n# Installation\n\nBoot up Fedora CoreOS 41 on amd64.\n\nUse the following commands as root to switch to the image\n\n``` bash\nbootc switch --enforce-container-sigpolicy --transport registry ghcr.io/bobymcbobs/ucore-k8s:latest\n```\n\nReboot\n\n``` bash\nsystemctl reboot\n```\n\n# Vendoring container images\n\nAll container images run on ucore-k8s must be signed by the private key related to this repo.\n\nThis is a handy script to discover images that need to be run, vendor them (this is where you validate them or build them from scratch in a production environment) and sign them with the private key. See:\n\n```bash\n./sync-and-sign-images.sh\n```\n\n# Bootstrapping Kubernetes\n\nUsing kubeadm:\n\n``` bash\nkubeadm init --config /etc/kubernetes/init-config.yaml\n```\n\nAllow scheduling\n\n``` bash\nkubectl taint node node-role.kubernetes.io/control-plane- --all\n```\n\n# Deploying stuff\n\nRender config (on machine with `kustomize` installed)\n\n``` bash\nkustomize build config/ \u003e ./deploy-config.yaml\n```\n\nApply it\n\n``` bash\nkubectl apply -f ./deploy-config.yaml\n```\n\nPatch Kourier's ExternalIPs (grossly on target machine; this is a test)\n\n``` bash\nkubectl -n knative-serving patch svc/kourier -p \"{\\\"spec\\\":{\\\"externalIPs\\\":[\\\"$(hostname -I | awk '{print $1}')\\\"]}}\"\n```\n\n# Prerequisites\n\nWorking knowledge in the following topics:\n\n- Containers\n  - https://www.youtube.com/watch?v=SnSH8Ht3MIc\n  - https://www.mankier.com/5/Containerfile\n- bootc\n  - https://containers.github.io/bootc/\n- Fedora Silverblue (and other Fedora Atomic variants)\n  - https://docs.fedoraproject.org/en-US/fedora-silverblue/\n- Github Workflows\n  - https://docs.github.com/en/actions/using-workflows\n\n# How to Use\n\n## Workflows\n\n### build.yml\n\nThis workflow creates your custom OCI image and publishes it to the Github Container Registry (GHCR). By default, the image name will match the Github repository name.\n\n#### Container Signing\n\nContainer signing is important for end-user security and is enabled on all Universal Blue images. It is recommended you set this up, and by default the image builds *will fail* if you don't.\n\nThis provides users a method of verifying the image.\n\n1. Install the [cosign CLI tool](https://edu.chainguard.dev/open-source/sigstore/cosign/how-to-install-cosign/#installing-cosign-with-the-cosign-binary)\n\n2. Run inside your repo folder:\n\n    ```bash\n    cosign generate-key-pair\n    ```\n\n    \n    - Do NOT put in a password when it asks you to, just press enter. The signing key will be used in GitHub Actions and will not work if it is encrypted.\n\n\u003e [!WARNING]\n\u003e Be careful to *never* accidentally commit `cosign.key` into your git repo.\n\n3. Add the private key to GitHub\n\n    - This can also be done manually. Go to your repository settings, under Secrets and Variables -\u003e Actions\n    ![image](https://user-images.githubusercontent.com/1264109/216735595-0ecf1b66-b9ee-439e-87d7-c8cc43c2110a.png)\n    Add a new secret and name it `SIGNING_SECRET`, then paste the contents of `cosign.key` into the secret and save it. Make sure it's the .key file and not the .pub file. Once done, it should look like this:\n    ![image](https://user-images.githubusercontent.com/1264109/216735690-2d19271f-cee2-45ac-a039-23e6a4c16b34.png)\n\n    - (CLI instructions) If you have the `github-cli` installed, run:\n\n    ```bash\n    gh secret set SIGNING_SECRET \u003c cosign.key\n    ```\n\n4. Commit the `cosign.pub` file to the root of your git repository.\n\n# Community\n\n- [**bootc discussion forums**](https://github.com/containers/bootc/discussions) - Nothing in this template is ublue specific, the upstream bootc project has a discussions forum where custom image builders can hang out and ask questions.\n- Index your image on [artifacthub.io](https://artifacthub.io), use the `artifacthub-repo.yml` file at the root to verify yourself as the publisher. [Discussion thread](https://universal-blue.discourse.group/t/listing-your-custom-image-on-artifacthub/6446)\n\n## Community Examples\n\n- [m2os](https://github.com/m2giles/m2os)\n- [bos](https://github.com/bsherman/bos)\n- [homer](https://github.com/bketelsen/homer/)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbobymcbobs%2Fucore-k8s","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbobymcbobs%2Fucore-k8s","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbobymcbobs%2Fucore-k8s/lists"}