Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/in-toto/kubectl-in-toto
https://github.com/in-toto/kubectl-in-toto
Last synced: 18 days ago
JSON representation
- Host: GitHub
- URL: https://github.com/in-toto/kubectl-in-toto
- Owner: in-toto
- License: mit
- Created: 2018-10-11T15:16:10.000Z (about 6 years ago)
- Default Branch: master
- Last Pushed: 2019-04-25T15:33:51.000Z (over 5 years ago)
- Last Synced: 2024-12-17T17:55:40.593Z (18 days ago)
- Language: Go
- Homepage:
- Size: 64.5 KB
- Stars: 11
- Watchers: 4
- Forks: 5
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# in-toto-kubectl
This is a kubectl plugin to run in-toto verification on the images in your
kubernetes pods.
## Install
run `make deploy` and the plugin should be installed to `~/.kube/plugins`. You
can change the target by changing the KUBEPATH environment variable. For
example `make deploy KUBEPATH=~/bin` will install it to a user-controlled
`bin/` folder.
## Usage
Make sure the plugin executable was installed to somewhere in your `$PATH`, or
to add `~/.kube/plugins` to your path. Afterwards, you can use it within
kubectl:
```bash
kubectl in-toto pod/[podname]
```
In order to scan a pod, you'd have to have the link metadata and the layout in
your current folder. After passing the pod/podname argument, you can also use
`-k` and `-l` in the same way as `in-toto-verify` to pass key and layout
parameters.
### Extensions
The kubectl plugin uses parameter substitution to provide you with a
`{IMAGE_ID}` parameter that you can substitute inside of your layouts.
In addition, a file (if it doesn't exist) called `image_id` will be populated
on the directory when verification starts. This can be used to e.g., verify
against the output of `docker build`. This second extension will disappear in
future releases, and once resource type identifiers are provided by the in-toto
framework.
## Example
An example repository exists under the `example` directory. It contains all the
tools you need to create a layout (using the python implementation), create
signed metadata files (you will need docker to build the container). If you're
using minikube to run the example, I also suggest you expose the Docker socket
before executing the functionary step so as to create the image inside the
container.
# Credit
This was very heavily based off of [stefanprodan's kubectl-kubesec plugin](https://github.com/stefanprodan/kubectl-in-toto)