<\/p>\r\n
<\/p>\r\n
E\u011fer makalenin ilk b\u00f6l\u00fcm\u00fcn\u00fc hen\u00fcz okumad\u0131ysan\u0131z, konunun b\u00fct\u00fcnl\u00fc\u011f\u00fc a\u00e7\u0131s\u0131ndan \u00f6ncelikle buradan<\/a><\/em> ilk b\u00f6l\u00fcm\u00fc okuman\u0131z\u0131 tavsiye ederim.<\/p>\r\n <\/p>\r\n <\/p>\r\n Makalenin bu b\u00f6l\u00fcm\u00fcnde ise kubernetes<\/strong><\/em> ortam\u0131nda OPA Gatekeeper<\/em> ile Ratify <\/em> kullanarak, \u00e7e\u015fitli politikalar\u0131 declarative<\/strong> bir \u015fekilde nas\u0131l tan\u0131mlayabilece\u011fimizi, containerized uygulamalar\u0131n da\u011f\u0131t\u0131lma i\u015flemleri s\u0131ras\u0131nda bu politikalar\u0131 nas\u0131l zorunlu k\u0131labilece\u011fimizi ve otomatikle\u015ftirilmi\u015f kararlarlar\u0131<\/strong> nas\u0131l alabilece\u011fimizi ele alaca\u011f\u0131z.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n NOT<\/em><\/strong>: Bu b\u00f6l\u00fcmden itibaren v1.20+ bir kubernetes ortam\u0131na sahip oldu\u011fumuzu varsayaca\u011f\u0131m.<\/em><\/p>\r\n <\/p>\r\n<\/blockquote>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Open Policy Agent<\/em> <\/strong>(OPA<\/em>) ‘\u0131 daha \u00f6nce hi\u00e7 duymad\u0131ysan\u0131z, \u00e7e\u015fitli politikalar\u0131 Rego<\/em><\/strong> isimli declarative query dil’i ile code olarak<\/strong> tan\u0131mlayabilmemize olanak sa\u011flayan, genel ama\u00e7l\u0131 <\/strong>open-source bir politika engine’idir diyebiliriz. Daha fazla detay i\u00e7in ise, buraya<\/em><\/a> bir g\u00f6z atman\u0131z\u0131 \u015fiddetle tavsiye ederim. Gatekeeper<\/em><\/strong> i\u00e7in ise OPA<\/em> constraint framework’\u00fcn\u00fc kullanarak \u00e7e\u015fitli politikalar\u0131 kubernetes<\/em><\/strong> \u00f6zelinde ConstraintTemplate<\/em> ‘ler olarak tan\u0131mlayabilmemizi ve bu politikalar\u0131 zorunlu k\u0131labilmemizi sa\u011flayan bir admission controller webhook<\/em> ‘udur diyebiliriz.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Gatekeeper<\/em> ile containerized uygulamalar\u0131 kubernetes<\/em> ortam\u0131nda fonksiyonel bir hale getirmeden \u00f6nce, bir ba\u015fka de\u011fi\u015fle admission request’i API<\/em> server taraf\u0131nda intercept ederek, tan\u0131mlanm\u0131\u015f olan politikalara uygunluklar\u0131n\u0131 uyumluluk i\u00e7in kontrol edebilir, bu do\u011frultuda zorlayabilir ve b\u00f6ylece software supply chain g\u00fcvenli\u011fini ve governance modelini infrastructure seviyesinde de g\u00fc\u00e7lendirebilmekteyiz.<\/p>\r\n <\/p>\r\n <\/p>\r\n Ratify<\/em><\/strong> ise container security supply chain alan\u0131nda supply chain artifact’lerini do\u011frulayabilmemize<\/strong> yard\u0131mc\u0131 olan bir ba\u015fka open source bir projedir. Ratify<\/em> asl\u0131nda her ortamda \u00e7al\u0131\u015fabilecek bir executable olsa da, kubernetes<\/em> \u00f6zelinde bakt\u0131\u011f\u0131m\u0131zda Gatekeeper<\/em> i\u00e7in external bir data provider<\/strong> olarak hareket etmekte ve container image’leri ile ili\u015fkilendirmi\u015f oldu\u011fumuz OCI<\/em> artifact metadata’lar\u0131na kar\u015f\u0131 politikalar tan\u0131mlayabilmemize ve onlar\u0131n do\u011frulanabilmesine olanak tan\u0131maktad\u0131r.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Makalenin ilk b\u00f6l\u00fcm\u00fcnde olu\u015fturmu\u015f oldu\u011fumuz software supply chain artifact’lerini ve imzalar\u0131n\u0131, da\u011f\u0131t\u0131lma \u00f6ncesi en basit yoldan pipeline \u00fczerinde nas\u0131l do\u011frulayabilece\u011fimizi ORAS<\/em> ve Notation CLI<\/em> ara\u00e7lar\u0131 ile birlikte ele alm\u0131\u015ft\u0131k. Ayr\u0131ca ilgili artifact’leri olu\u015ftururken makalenin bu b\u00f6l\u00fcm\u00fcnde OPA Gatekeeper<\/em> ve Ratify<\/em> ‘dan yararlanabilmek i\u00e7in, ilgili artifact’leri belirli formatlarda da olu\u015fturmu\u015ftuk.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u00d6rne\u011fin container g\u00fcvenlik taramas\u0131 sonucunu SARIF<\/em> format\u0131nda, SBOM<\/em> dok\u00fcman\u0131n\u0131 ise SPDX<\/em> format\u0131nda ve Notation<\/em> ile imzalam\u0131\u015f oldu\u011fumuz artifact’leri ise COSE<\/em> format\u0131nda olu\u015fturmu\u015ftuk. \u015eimdi bu artifact’ler \u00f6zelinde Ratify<\/em> ‘\u0131n do\u011frulay\u0131c\u0131<\/strong> plugin’lerinden yararlanarak daha spesifik kontrol politikalar\u0131n\u0131 declarative bir \u015fekilde nas\u0131l konfigure edip, zorunlu k\u0131labilece\u011fimize bir bakal\u0131m.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u00d6ncelikle Ratify<\/em> ‘\u0131n do\u011frulama i\u015flemini ger\u00e7ekle\u015ftirip Gatekeeper<\/em> ‘a geri bildirim verebilmesi i\u00e7in, ilgili container image’ i ile ili\u015fkilendirmi\u015f oldu\u011fumuz supply chain artifact’lerine ilgili container registry \u00fczerinden eri\u015febilmesi gerekmektedir. Ratify<\/em> arka planda ise bunun i\u00e7in ORAS<\/em> arac\u0131ndan yararlanmaktad\u0131r. Bu makale serisi kapsam\u0131nda ise container registry olarak Azure Container Registry<\/em> (ACR<\/em>) kullanm\u0131\u015ft\u0131k. Bu noktada Ratify<\/em>, ORAS<\/em> ‘\u0131n ilgili registry’e eri\u015febilmesi i\u00e7in bizlere bir ka\u00e7 farkl\u0131 auth provider se\u00e7ene\u011fi sunmaktad\u0131r. Ben ilgili AKS<\/em> cluster’\u0131n\u0131 (v1.20+<\/em>) ACR<\/em> entegrasyonu ile olu\u015fturdu\u011fum i\u00e7in, bu noktada kubelet identity<\/em> ‘sini (managed identity<\/strong><\/em>) kullan\u0131yor olaca\u011f\u0131m. Dilerseniz kendi olu\u015fturaca\u011f\u0131n\u0131z user-assigned managed identity’i veya workload identity se\u00e7eneklerini de kullanabilirsiniz. Bunun ilgili se\u00e7eneklere ise buradan<\/em><\/a> eri\u015febilirsiniz.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u00d6ncelikle Gatekeeper<\/em> ‘\u0131 external data<\/em> \u00f6zelli\u011fi ile ilgili kubernetes<\/em> ortam\u0131na kurulumunu ger\u00e7ekle\u015ftirmemiz gerekmektedir.<\/p>\r\n <\/p>\r\n <\/p>\r\n Bu noktada h\u0131zl\u0131 ilerleyebilmek i\u00e7in, Gatekeeper<\/em> ve Ratify<\/em> ara\u00e7lar\u0131n\u0131n kurulum i\u015flemlerini bir \u00f6nceki makale kapsam\u0131nda kullanm\u0131\u015f oldu\u011fumuz CICD<\/em> template’i i\u00e7erisinde ger\u00e7ekle\u015ftirece\u011fim. Ayr\u0131ca imzalanm\u0131\u015f artifact’lerin politikalar arac\u0131l\u0131\u011f\u0131 ile do\u011frulanabilmesi konusunda Ratify<\/em> ‘\u0131n built-in plugin’i olan Notation<\/em> ‘\u0131 da kullanabilmemiz i\u00e7in, imzalama s\u00fcre\u00e7leri s\u0131ras\u0131nda Notation arac\u0131 ile olu\u015fturuyor oldu\u011fumuz CA<\/em> certificate\u2019ini, kurulum i\u015flemi s\u0131ras\u0131nda Ratify<\/em> ‘a sa\u011fl\u0131yor olmam\u0131z gerekmektedir. E\u011fer certificate olu\u015fturma i\u015flemlerini CI<\/em> boyunca on-the-fly ger\u00e7ekle\u015ftirmek yerine Azure Key Vault<\/em> gibi merkezi bir noktada ger\u00e7ekle\u015ftiriyor olsayd\u0131k, ozaman kurulum i\u015flemlerini farkl\u0131 noktalarda da ele alabilirdik.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u015eimdi daha \u00f6nce \u201cDev<\/em>\u201d ad\u0131nda olu\u015fturmu\u015f oldu\u011fumuz stage’in i\u00e7erisinde bulunan \u201cVerifyArtifacts<\/em>\u201d job’\u0131ndan sonra a\u015fa\u011f\u0131daki \u015fekilde \u201cDeployToDev<\/em>\u201c ad\u0131nda yeni bir job ekleyelim. Bu job i\u00e7erisinde de ilk a\u015fama olarak, ilgili artifact’lerin \u201cSigningStage<\/em>\u201c i\u00e7erisinde imzalama i\u015flemlerinin ger\u00e7ekle\u015fmesinin ard\u0131ndan pipeline artifact\u2019i olarak payla\u015f\u0131yor oldu\u011fumuz Notation<\/em> certificate’ini, olu\u015fturmu\u015f oldu\u011fumuz bu yeni job i\u00e7erisine download edece\u011fiz.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Ard\u0131ndan Gatekeeper<\/em> ‘in kurulum i\u015flemini ilgili AKS<\/em> cluster’\u0131na Helm<\/em> vas\u0131tas\u0131yla ger\u00e7ekle\u015ftiriyoruz. Gatekeeper<\/em> kurulumunun ard\u0131ndan ise Ratify<\/em> ‘\u0131n kurulumunu kullanmak istedi\u011fimiz do\u011frulay\u0131c\u0131 plugin’leri ile birlikte ger\u00e7ekle\u015ftirmeye ba\u015flayabiliriz.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n \u015eimdi ilgili task’\u0131n devam\u0131 olarak, a\u015fa\u011f\u0131daki gibi Ratify<\/em> helm<\/em> chart’\u0131n\u0131 konfigure edelim ve Gatekeeper<\/em> ile ayn\u0131 namespace i\u00e7erisine kurulumunun ger\u00e7ekle\u015ftirilmesini sa\u011flayal\u0131m.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Bu noktada Ratify<\/em> ‘a, farkl\u0131 do\u011frulama i\u015flemlerinde kullanabilmesi i\u00e7in ilgili artifact metadata’lar\u0131na ACR<\/em> \u00fczerinden eri\u015febilmesi amac\u0131yla sa\u011flam\u0131\u015f oldu\u011fumuz Azure Managed Identity<\/em> bilgilerini kullanmas\u0131n\u0131 s\u00f6yl\u00fcyoruz. Ayr\u0131ca, Notation<\/em>, daha \u00f6nce de bahsetti\u011fimiz gibi Ratify<\/em> i\u00e7erisinde varsay\u0131lan imza do\u011frulay\u0131c\u0131s\u0131 olarak geldi\u011fi i\u00e7in, “notationCerts<\/em>” parametresi ile imzalama i\u015flemlerinde kullanm\u0131\u015f oldu\u011fumuz CA<\/em> certificate’ini sa\u011fl\u0131yoruz. B\u00f6ylece Ratify<\/em>, kubernetes<\/em> i\u00e7erisinde sadece imzalanm\u0131\u015f container image’lerini \u00e7al\u0131\u015ft\u0131rmam\u0131za olanak sa\u011flayacakt\u0131r.<\/p>\r\n <\/p>\r\n <\/p>\r\n Makalenin giri\u015finde Gatekeeper<\/em> ‘\u0131 tan\u0131mlarken, OPA<\/em> constraint framework’\u00fcn\u00fc kullanarak \u00e7e\u015fitli politikalar\u0131 kubernetes<\/em> \u00f6zelinde ConstraintTemplate<\/em><\/strong> ‘ler olarak yani CRD-based<\/em><\/strong> olarak tan\u0131mlayabilmemizi ve bu politikalar\u0131 zorunlu k\u0131labilmemizi sa\u011flamaktad\u0131r demi\u015ftik.<\/p>\r\n <\/p>\r\n <\/p>\r\n OPA Constraint<\/em> ve ConstraintTemplate<\/em> konseptine k\u0131saca de\u011finmek gerekirse, ConstraintTemplate<\/em>, k\u0131s\u0131tlamalar\u0131 (constraint) uygulamak i\u00e7in kullan\u0131lacak olan politika mant\u0131\u011f\u0131n\u0131n ve k\u0131s\u0131tlaman\u0131n schema’s\u0131n\u0131n tan\u0131mland\u0131\u011f\u0131 ConstraintTemplate<\/em> tipinde bir CRD<\/em> ‘dir. Ayr\u0131ca Rego<\/strong><\/em> politikalar\u0131n\u0131 da konfig\u00fcrasyon olarak tan\u0131mlad\u0131\u011f\u0131m\u0131z yerdir. Tan\u0131mlanm\u0131\u015f olan bu politikan\u0131n uygulanabilmesi i\u00e7in ise, bir instance’\u0131n\u0131n al\u0131nmas\u0131 gerekmektedir. Bu i\u015flemi ise, CRD-based Constraint<\/em> ‘ler tan\u0131mlayarak ger\u00e7ekle\u015ftirmekteyiz.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u015eimdi yukar\u0131daki kod blo\u011funda kubectl<\/em> ile uyguluyor oldu\u011fumuz temel bir OPA Gatekeeper<\/em> ConstraintTemplate<\/em> ‘ine (template.yaml) bir bakal\u0131m.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Bu noktada ConstraintTemplate<\/em>, i\u00e7erisinde Rego<\/em> dilinde uygulanacak olan politika mant\u0131\u011f\u0131n\u0131n bulundu\u011fu RatifyVerification<\/em> tipinde bir CRD<\/em> schema’s\u0131 olu\u015fturmaktad\u0131r.<\/p>\r\n <\/p>\r\n <\/p>\r\n Bu noktada \u00f6zellikle a\u015fa\u011f\u0131daki sat\u0131r’a dikkat edersek,<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Gatekeeper<\/em> ‘\u0131n container image’ini do\u011frulayabilmesi i\u00e7in external data sa\u011flay\u0131c\u0131s\u0131 olarak Ratify<\/em> ‘\u0131 kulland\u0131\u011f\u0131n\u0131 g\u00f6rebiliriz.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u015eimdi yine kubectl<\/em> ile uyguluyor oldu\u011fumuz Constraint <\/em>‘e (constraint.yaml)\u00a0bir bakal\u0131m.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Bahsetti\u011fimiz gibi, olu\u015fturulan bu Constraint<\/em>, az \u00f6nce tan\u0131mlam\u0131\u015f oldu\u011fumuz ConstraintTemplate<\/em> ‘in bir nevi instance ‘\u0131 g\u00f6revini g\u00f6rmektedir. Bu Constraint<\/em> i\u00e7erisinde ise, ConstraintTemplate<\/em> ‘de yer alan ilgili politika mant\u0131\u011f\u0131n\u0131n, “default<\/em>” namespace’i alt\u0131ndaki t\u00fcm “Pod<\/em>” lara uygulanmas\u0131 gerekti\u011fini belirtiyoruz.<\/p>\r\n <\/p>\r\n <\/p>\r\n Bu noktadan itibaren, Notation<\/em>, Ratify<\/em> i\u00e7erisinde built-in bir do\u011frulay\u0131c\u0131 olarak geldi\u011fi ve Ratify<\/em> ‘\u0131n kurulumunu ger\u00e7ekle\u015ftirirken\u00a0imzalama s\u0131ras\u0131nda kulland\u0131\u011f\u0131m\u0131z CA<\/em> certificate’ini de iletti\u011fimiz i\u00e7in, kubernetes i\u00e7erisinde “default<\/em>” namespace alt\u0131nda sadece bu certificate ile imzalanm\u0131\u015f olan container image’lerinin \u00e7al\u0131\u015ft\u0131r\u0131lmas\u0131na izin verilecektir.<\/p>\r\n <\/p>\r\n <\/p>\r\n Test etmeye ge\u00e7meden \u00f6nce built-in gelen Ratify<\/em> do\u011frulay\u0131c\u0131lar\u0131na kubernetes<\/em> taraf\u0131nda bakt\u0131\u011f\u0131m\u0131zda ise, a\u015fa\u011f\u0131daki gibi Notation<\/em> ve Cosign<\/em> ‘\u0131n varsay\u0131lan olarak geldi\u011fini g\u00f6rebiliriz.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Notation<\/em> do\u011frulay\u0131c\u0131s\u0131na bakt\u0131\u011f\u0131m\u0131zda ise, container ile ili\u015fkilendirilmi\u015f “application\/vnd.cncf.notary.signature<\/em>” tipindeki artifact metadata’lar\u0131 ile \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131 da g\u00f6rebiliriz.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u015eimdi ilgili politikay\u0131 test edebilmek i\u00e7in a\u015fa\u011f\u0131daki task’\u0131 kullanarak imzalanmam\u0131\u015f \u00f6rnek bir container image’ini, ilgili kubernetes<\/em> ortam\u0131na yay\u0131mlamay\u0131 deneyelim.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n G\u00f6rd\u00fc\u011f\u00fcm\u00fcz gibi, yay\u0131mlama i\u015flemi, ilgili container image’inin olu\u015fturmu\u015f oldu\u011fumuz CA<\/em> certificate’i taraf\u0131ndan imzalanmam\u0131\u015f olmas\u0131ndan dolay\u0131, Gatekeeper<\/em> ‘\u0131n Ratify<\/em> ‘dan ald\u0131\u011f\u0131 geri bildirim do\u011frultusunda ba\u015far\u0131s\u0131z ger\u00e7ekle\u015fti.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n \u015eimdi ise Ratify<\/em> ‘\u0131n external plugin’lerinden olan SBOM<\/em> do\u011frulay\u0131c\u0131s\u0131n\u0131 entegre edelim. Bunun i\u00e7in Ratify<\/em> kurulumunu a\u015fa\u011f\u0131daki gibi \u00f6zelle\u015ftirmemiz gerekmektedir.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n Bu noktada \u00f6rnek bir senaryo olarak, “sbom.enabled<\/em>” parametresi ile SBOM<\/em> do\u011frulay\u0131c\u0131s\u0131n\u0131 etkinle\u015ftiriyor ve “6.3.1<\/em>” versiyonlu “EasyNetQ<\/em>” paketini i\u00e7eren container image’lerinin kubernetes<\/em> ortam\u0131nda \u00e7al\u0131\u015ft\u0131r\u0131lmamas\u0131 gerekti\u011fini belirtiyoruz. Ayr\u0131ca, makalenin ilk b\u00f6l\u00fcm\u00fcnde hat\u0131rlarsak, olu\u015fturmu\u015f oldu\u011fumuz SBOM<\/em> dok\u00fcman\u0131n\u0131 da supply chain g\u00fcvenli\u011fi i\u00e7in imzalam\u0131\u015ft\u0131k. Sa\u011flad\u0131\u011f\u0131m\u0131z “sbom.notaryProjectSignatureRequired<\/em>” parametresi ile ise SBOM<\/em> dok\u00fcman\u0131 i\u00e7in olu\u015fturmu\u015f oldu\u011fumuz imzan\u0131n da do\u011frulanmas\u0131 gerekti\u011fini belirtiyoruz. Ek olarak, SBOM<\/em> do\u011frulay\u0131c\u0131s\u0131 i\u00e7in de ayn\u0131 ConstraintTemplate<\/em> ve Constraint<\/em> manifest’lerini kullanaca\u011f\u0131z.<\/p>\r\n <\/p>\r\n <\/p>\r\n \u015eimdi, Ratify<\/em> ‘\u0131n SBOM<\/em> do\u011frulay\u0131c\u0131 plugin’i SBOM<\/em> dok\u00fcman\u0131n\u0131 SPDX-JSON<\/em> format\u0131nda bekledi\u011fi i\u00e7in, makalenin ilk b\u00f6l\u00fcm\u00fcnde Trivy<\/em> ile SBOM<\/em> dok\u00fcman\u0131n\u0131 olu\u015fturuyor oldu\u011fumuz task’a d\u00f6nelim ve “–format spdx<\/em>” parametresini “–format spdx-json<\/em>” olarak g\u00fcncelleyelim.<\/p>\r\n <\/p>\r\n <\/p>\r\n Ard\u0131ndan bir \u00f6nceki a\u015famada imzalanmam\u0131\u015f \u00f6rnek bir container image’ini yay\u0131mlamak i\u00e7in kullanm\u0131\u015f oldu\u011fumuz task’\u0131 a\u015fa\u011f\u0131daki gibi g\u00fcncelleyelim ve uygulanacak olan politika detaylar\u0131n\u0131 g\u00f6rebilmek i\u00e7in Ratify<\/em> pod’unun log’lar\u0131n\u0131 getirecek olan task’\u0131 da job i\u00e7erisine dahil edelim.<\/p>\r\n <\/p>\r\n <\/p>\r\n <\/p>\r\n![\"\"](\"\/wp-content\/uploads\/2024\/06\/automated-gov-gokhan-gokalp.jpg\")
<\/a><\/p>\r\n\r\n
OPA Gatekeeper & Ratify<\/h1>\r\n
![\"\"](\"\/wp-content\/uploads\/2024\/04\/admission-controller-phases-1024x381.png\")
<\/a>\r\nAksiyona Ge\u00e7elim!<\/h1>\r\n
Gatekeeper’\u0131 Haz\u0131rlayal\u0131m<\/h2>\r\n
- job: DeployToDev\r\n displayName: 'Deploy to Dev'\r\n dependsOn: VerifyArtifacts\r\n steps:\r\n - task: DownloadPipelineArtifact@2\r\n inputs:\r\n buildType: 'current'\r\n artifactName: 'notation'\r\n downloadPath: '$(Agent.BuildDirectory)\/..\/..\/.config\/notation\/localkeys'\r\n - task: AzureCLI@2\r\n displayName: 'Prepare OPA Gatekeeper & Ratify'\r\n inputs:\r\n azureSubscription: 'DevOpsPoC'\r\n scriptType: 'bash'\r\n scriptLocation: 'inlineScript'\r\n inlineScript: |\r\n curl https:\/\/raw.githubusercontent.com\/helm\/helm\/main\/scripts\/get-helm-3 | bash\r\n\r\n az aks get-credentials --resource-group YOUR_AKS_RG --name YOUR_AKS_NAME\r\n\r\n helm repo add gatekeeper https:\/\/open-policy-agent.github.io\/gatekeeper\/charts\r\n\r\n helm upgrade --install gatekeeper gatekeeper\/gatekeeper --atomic \\\r\n --namespace gatekeeper-system --create-namespace \\\r\n --set enableExternalData=true \\\r\n --set validatingWebhookTimeoutSeconds=5 \\\r\n --set mutatingWebhookTimeoutSeconds=2 \\\r\n --set externaldataProviderResponseCacheTTL=10s<\/code><\/pre>\r\nRatify<\/h2>\r\n
Notation ile \u0130mzalar\u0131n Do\u011frulanmas\u0131<\/h3>\r\n
helm repo add ratify https:\/\/deislabs.github.io\/ratify\r\n\r\n helm upgrade --install ratify ratify\/ratify --version 1.12.1 \\\r\n --namespace gatekeeper-system \\\r\n --set featureFlags.RATIFY_CERT_ROTATION=true \\\r\n --set logger.level=debug \\\r\n --set-file notationCerts={$(Agent.BuildDirectory)\/..\/..\/.config\/notation\/localkeys\/order-api.io.crt} \\\r\n --set oras.authProviders.azureManagedIdentityEnabled=true \\\r\n --set azureManagedIdentity.clientId=\\\"YOUR_CLIENT_ID\\\" \\\r\n --set azureManagedIdentity.tenantId=\"YOUR_TENANT_ID\"\r\n\r\n kubectl apply -f https:\/\/deislabs.github.io\/ratify\/library\/default\/template.yaml\r\n kubectl apply -f https:\/\/deislabs.github.io\/ratify\/library\/default\/samples\/constraint.yaml<\/code><\/pre>\r\napiVersion: templates.gatekeeper.sh\/v1beta1\r\nkind: ConstraintTemplate\r\nmetadata:\r\n name: ratifyverification\r\nspec:\r\n crd:\r\n spec:\r\n names:\r\n kind: RatifyVerification\r\n targets:\r\n - target: admission.k8s.gatekeeper.sh\r\n rego: |\r\n package ratifyverification\r\n \r\n # Get data from Ratify\r\n remote_data := response {\r\n images := [img | img = input.review.object.spec.containers[_].image]\r\n response := external_data({\"provider\": \"ratify-provider\", \"keys\": images})\r\n }\r\n\r\n # Base Gatekeeper violation\r\n violation[{\"msg\": msg}] {\r\n general_violation[{\"result\": msg}]\r\n }\r\n \r\n # Check if there are any system errors\r\n general_violation[{\"result\": result}] {\r\n err := remote_data.system_error\r\n err != \"\"\r\n result := sprintf(\"System error calling external data provider: %s\", [err])\r\n }\r\n \r\n # Check if there are errors for any of the images\r\n general_violation[{\"result\": result}] {\r\n count(remote_data.errors) > 0\r\n result := sprintf(\"Error validating one or more images: %s\", remote_data.errors)\r\n }\r\n \r\n # Check if the success criteria is true\r\n general_violation[{\"result\": result}] {\r\n subject_validation := remote_data.responses[_]\r\n subject_validation[1].isSuccess == false\r\n result := sprintf(\"Subject failed verification: %s\", [subject_validation[0]])\r\n }<\/code><\/pre>\r\nresponse := external_data({\"provider\": \"ratify-provider\", \"keys\": images})\r\n }<\/code><\/pre>\r\napiVersion: constraints.gatekeeper.sh\/v1beta1\r\nkind: RatifyVerification\r\nmetadata:\r\n name: ratify-constraint\r\nspec:\r\n enforcementAction: deny\r\n match:\r\n kinds:\r\n - apiGroups: [\"\"]\r\n kinds: [\"Pod\"]\r\n namespaces: [\"default\"]<\/code><\/pre>\r\n![\"\"](\"\/wp-content\/uploads\/2024\/05\/notation-verifier-1024x566.jpg\")
<\/a><\/figure>\r\n - task: AzureCLI@2\r\n displayName: 'Deploy the $(orderAPIImageName) container'\r\n inputs:\r\n azureSubscription: 'DevOpsPoC'\r\n scriptType: 'bash'\r\n scriptLocation: 'inlineScript'\r\n inlineScript: |\r\n cat <<\/code><\/pre>\r\n![\"\"](\"\/wp-content\/uploads\/2024\/05\/unsigned-denied-1024x539.jpg\")
<\/a>\r\n\r\n<\/figure>\r\nSBOM ‘un Do\u011frulanmas\u0131<\/h3>\r\n
helm upgrade --install ratify ratify\/ratify --version 1.12.1 \\\r\n --namespace gatekeeper-system \\\r\n --set featureFlags.RATIFY_CERT_ROTATION=true \\\r\n --set logger.level=debug \\\r\n --set-file notationCerts={$(Agent.BuildDirectory)\/..\/..\/.config\/notation\/localkeys\/order-api.io.crt} \\\r\n --set oras.authProviders.azureManagedIdentityEnabled=true \\\r\n --set azureManagedIdentity.clientId=\\\"YOUR_CLIENT_ID\\\" \\\r\n --set azureManagedIdentity.tenantId=\"YOUR_TENANT_ID\" \\\r\n --set sbom.enabled=true \\\r\n --set sbom.notaryProjectSignatureRequired=true \\\r\n --set sbom.disallowedPackages[0].name=\"EasyNetQ\" \\\r\n --set sbom.disallowedPackages[0].version=\"6.3.1\"<\/code><\/pre>\r\n - task: AzureCLI@2\r\n displayName: 'Deploy the $(orderAPIImageName) container'\r\n inputs:\r\n azureSubscription: 'DevOpsPoC'\r\n scriptType: 'bash'\r\n scriptLocation: 'inlineScript'\r\n inlineScript: |\r\n cat <<\/code><\/pre>\r\n
![\"\"](\"\/wp-content\/uploads\/2024\/05\/ratify-policy-summary-1024x569.jpg\")
<\/a>\r\n\r\n<\/figure>\r\n![\"\"](\"\/wp-content\/uploads\/2024\/05\/verifier-sbom-1024x419.jpg\")
<\/a><\/figure>\r\n