This is a kubectl plugin to run in-toto verification on the images in your kubernetes pods.
run make deploy and the plugin should be installed to ~/.kube/plugins. You
can change the target by changing the KUBEPATH environment variable. For
example make deploy KUBEPATH=~/bin will install it to a user-controlled
bin/ folder.
Make sure the plugin executable was installed to somewhere in your $PATH, or
to add ~/.kube/plugins to your path. Afterwards, you can use it within
kubectl:
kubectl in-toto pod/[podname]In order to scan a pod, you'd have to have the link metadata and the layout in
your current folder. After passing the pod/podname argument, you can also use
-k and -l in the same way as in-toto-verify to pass key and layout
parameters.
The kubectl plugin uses parameter substitution to provide you with a
{IMAGE_ID} parameter that you can substitute inside of your layouts.
In addition, a file (if it doesn't exist) called image_id will be populated
on the directory when verification starts. This can be used to e.g., verify
against the output of docker build. This second extension will disappear in
future releases, and once resource type identifiers are provided by the in-toto
framework.
An example repository exists under the example directory. It contains all the
tools you need to create a layout (using the python implementation), create
signed metadata files (you will need docker to build the container). If you're
using minikube to run the example, I also suggest you expose the Docker socket
before executing the functionary step so as to create the image inside the
container.
This was very heavily based off of stefanprodan's kubectl-kubesec plugin