Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/rode/rode-legacy
cloud native software supply chain âïžð
https://github.com/rode/rode-legacy
cloud-native kubernetes security
Last synced: 3 months ago
JSON representation
cloud native software supply chain âïžð
- Host: GitHub
- URL: https://github.com/rode/rode-legacy
- Owner: rode
- License: other
- Archived: true
- Created: 2020-01-18T01:00:08.000Z (almost 5 years ago)
- Default Branch: master
- Last Pushed: 2021-02-15T14:54:05.000Z (over 3 years ago)
- Last Synced: 2024-06-20T17:41:19.609Z (5 months ago)
- Topics: cloud-native, kubernetes, security
- Language: Go
- Homepage:
- Size: 16.7 MB
- Stars: 64
- Watchers: 6
- Forks: 17
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
- License: LICENSE.md
- Codeowners: CODEOWNERS
Awesome Lists containing this project
- awesome-repositories - rode/rode-legacy - cloud native software supply chain âïžð (Go)
README
# Warning: this project has been deprecated
As of 12/18/2020 the new home for all `rode` development will be located at [github.com/rode](https://github.com/rode)
#  Rode
> \rÅd\ - a line (as of rope or chain) used to attach an anchor to a boat
Rode provides the collection, attestation and enforcement of policies in your software supply chain. Watch the [demo](https://youtu.be/CyrbLQYUCbM?t=580) and [slides](https://www.slideshare.net/CaseyLee2/the-last-bottleneck-of-continuous-delivery/) from DeliveryConf for a quick introduction!
There are 3 primary components in rode: `collectors`, `attesters` and `enforcers`
## Collectors
Collectors are responsible for receiving events from external systems and converting them into [occurrences](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md#occurrences) in [Grafeas](https://github.com/grafeas/grafeas).
The list of supported collectors is growing and currently includes:
* **ECR Events** - image scan events are sent to an SQS queue via CloudWatch event rules. A collector in rode processes the messages from the queue and converts them into [discovery](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md#kind-specific-schemas) and [vulnerability](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md#kind-specific-schemas) occurrences in Grafeas.
* **Harbor Events** - image scan events are sent to a Rode endpoint. A collector in rode processes the messages from the queue and converts them into [discovery](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md#kind-specific-schemas) and [vulnerability](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md#kind-specific-schemas) occurrences in Grafeas.
Collectors are defined as `Collector` [custom resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). See below for an example:
```yaml
apiVersion: rode.liatr.io/v1alpha1
kind: Collector
spec:
name: my_collector
type: ecr
queueName: my_ecr_event_queue
```
## Attesters
Attesters monitor collectors for new `occurrences`. Whenever a new occurrence is created on a [resource](https://github.com/grafeas/grafeas/blob/master/docs/grafeas_concepts.md#resource-urls), then all occurrences are loaded for that resource and passed in to [Open Policy Agent (OPA)](https://www.openpolicyagent.org/) to determine if all necessary occurrences exist for the resource.
If all occurrences exist and comply with the policy, then the attester will use its private PGP key to sign a new attestation for the resource and store the attestation in Grafeas.
Attesters are defined as `Attester` [custom resources](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/). See below for an example:
```yaml
apiVersion: rode.liatr.io/v1alpha1
kind: Attester
spec:
name: my_collector
pgp-secret: my_secret_name
policy: |
package my_collector
violation[{"msg":"analysis failed"}]{
input.occurrences[_].discovered.discovered.analysisStatus != "FINISHED_SUCCESS"
}
violation[{"msg":"analysis not performed"}]{
analysisStatus := [s | s := input.occurrences[_].discovered.discovered.analysisStatus]
count(analysisStatus) = 0
}
violation[{"msg":"critical vulnerability found"}]{
severityCount("CRITICAL") > 0
}
violation[{"msg":"high vulnerability found"}]{
severityCount("HIGH") > 10
}
severityCount(severity) = cnt {
cnt := count([v | v := input.occurrences[_].vulnerability.severity; v == severity])
}
```
The PGP key is automatically generated and stored as a Kubernetes secret if it doesn't already exist.
## Enforcers
Enforcers are defined as [validating admission webhook](https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/) that ensures the resource defined as an `image` in the `Pod` has been properly attested.
Enforcers are configured to ensure the specified attester referenced in the namespace for the pod had successfully created an attestation. The namespace must include a label for enforcement to be activated:
```yaml
"rode.liatr.io/enforce": true
```
# Installation
The easiest way to install rode is via the helm chart:
```shell
helm repo add liatrio https://harbor.toolchain.lead.prod.liatr.io/chartrepo/public
helm upgrade -i rode liatrio/rode
```
## Elastic Container Registry
Setup collectors, attesters and enforcers through a quickstart:
```shell
kubectl apply -f examples/aws-quickstart.yaml
```
The ECR event collector requires the following IAM policy. Either attach the policy to the EC2 instance or use IRSA and pass the role ARN to Helm:
```shell
helm upgrade -i rode liatrio/rode --set rbac.serviceAccountAnnotations."eks\.amazonaws\.com/role-arn"=arn:aws:iam::1234567890:role/RodeServiceAccount
```
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sqs:CreateQueue"
"sqs:SetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:GetQueueAttributes",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"events:PutTargets",
"events:PutRule"
],
"Resource": "*"
}
]
}
```
## Harbor
If Harbor is being utilized as a container registry, you can specify `harbor` as the collector type.
```yaml
apiVersion: rode.liatr.io/v1alpha1
kind: Collector
spec:
name: my_collector
type: ecr
queueName: my_ecr_event_queue
---
apiVersion: rode.liatr.io/v1alpha1
kind: Collector
metadata:
name: harborCollector
finalizers:
- collectors.finalizers.rode.liatr.io
spec:
harbor:
harborUrl: "https://example.com"
project: "example-project"
secret: "default/harbor-harbor-core"
type: harbor
```
# Development
To run locally you need to have Docker for Desktop running and your k8s context set to `docker-desktop`. Skaffold will automatically use the `local` profile which installs [LocalStack](https://github.com/localstack/localstack) to test the AWS ECR collector by mocking the SQS service.
To run controllers:
```shell
skaffold dev --port-forward
```
Setup collectors, attesters and enforcers:
```shell
kubectl apply -f examples/aws-quickstart.yaml
```
To create an occurrence, use the aws cli to send a test message to LocalStack:
```shell
aws sqs send-message \
--endpoint-url http://localhost:30576 \
--queue-url http://localhost:30576/queue/rode-ecr-event-collector \
--message-body file://test/sample_scan_event.json
```
## Testing
To run unit tests
```shell
go test -cover -tags unit ./...
```
To run unit and integration tests Rode and LocalStack must be running. Follow the local development instructions above.
```shell
go test ./...
```
## Testing Multi-Cluster Communication
You can test separating the policy and enforcement features of Rode by running both locally. This will deploy different instances of Rode into two different namespaces (`rode-policy` and `rode-enforcement`) so you can test the communication between the two instances.
**Deploy the policy Rode instance**
```shell
skaffold run -p local,policy
```
This will deploy Rode with Collector and Attester controllers and deploy the messaging service [Jetstream](https://github.com/nats-io/jetstream)
**Deploy the enforcement Rode instance**
```shell
skaffold run -p local,enforcement
```
This will deploy Rode with Enforcer and Cluster Enforcer controllers and the enforcer validating webhook.