Home Explore Blog CI



kubernetes
5th chunk of `content/en/blog/_posts/2017-11-00-Securing-Software-Supply-Chain-Grafeas.md`
7a9cab4d70a4667d1a8a128081186df211d8c742eb69d77f00000001000009cc
gpg --quick-generate-key --yes qa\_bob@example.com
 ```


Export the image signer's public key:  



```
gpg --armor --export image.signer@example.com \> ${GPG\_KEY\_ID}.pub
 ```


Create the ‘qa’ AttestationAuthority note via the Grafeas API:  



```
curl -X POST \  
  "http://127.0.0.1:8080/v1alpha1/projects/image-signing/notes?noteId=qa" \  
  -d @note.json
 ```


Create the Kubernetes ConfigMap for admissions control and store the QA signer's public key:  



```
kubectl create configmap image-signature-webhook \  
  --from-file ${GPG\_KEY\_ID}.pub

kubectl get configmap image-signature-webhook -o yaml
 ```


Set up an admissions control webhook to require QA signature during deployment.




```
kubectl apply -f kubernetes/image-signature-webhook.yaml
 ```





**2. Attempt to deploy an image without QA attestation**  

Attempt to run the image in paymentProcessor.ymal before it is QA attested:  



```
kubectl apply -f pods/nginx.yaml

apiVersion: v1

kind: Pod

metadata:

  name: payment

spec:

  containers:

    - name: payment

      image: "gcr.io/hightowerlabs/payment@sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887"
 ```


Create the paymentProcessor pod:  



```
kubectl apply -f pods/paymentProcessor.yaml
 ```


Notice the paymentProcessor pod was not created and the following error was returned:  



```
The  "" is invalid: : No matched signatures for container image: gcr.io/hightowerlabs/payment@sha256:aba48d60ba4410ec921f9d2e8169236c57660d121f9430dc9758d754eec8f887
 ```


**3. Create an image signature**  

Assume the image digest is stored in Image-digest.txt, sign the image digest:  



```
gpg -u qa\_bob@example.com \  
  --armor \  
  --clearsign \  
  --output=signature.gpg \  
  Image-digest.txt
 ```



**4. Upload the signature to the Grafeas API**  

Generate a pgpSignedAttestation occurrence from the signature :




```
cat \> occurrence.json \<\<EOF  
{  
  "resourceUrl": "$(cat image-digest.txt)",  
  "noteName": "projects/image-signing/notes/qa",  
  "attestation": {  
    "pgpSignedAttestation": {  
       "signature": "$(cat signature.gpg)",  
       "contentType": "application/vnd.gcr.image.url.v1",  
       "pgpKeyId": "${GPG\_KEY\_ID}"  
    }  
  }  
}  
EOF
 ```


Upload the attestation through the Grafeas API:




```
curl -X POST \  
  'http://127.0.0.1:8080/v1alpha1/projects/image-signing/occurrences' \  
  -d @occurrence.json
 ```



**5. Verify QA attestation during a production deployment**
Title: Deploying with and without QA Attestation using Grafeas
Summary
This section demonstrates deploying an image without QA attestation, resulting in an error because no matching signatures are found. It then shows how to create an image signature using gpg, upload the signature to the Grafeas API as a pgpSignedAttestation occurrence, and prepares for verifying QA attestation during a production deployment.