ํ”ผ๋“œ๋กœ ๋Œ์•„๊ฐ€๊ธฐ
๐Ÿ”Enforcing image provenance in Kubernetes using Cosign + Sigstore + Kyverno
Dev.toDev.to
Security

Cosign-Kyverno ์กฐํ•ฉ์„ ํ†ตํ•œ K8s ์ด๋ฏธ์ง€ ๋ฌด๊ฒฐ์„ฑ ๊ฐ•์ œ ๋ฐ Supply Chain ๋ณด์•ˆ ๊ตฌ์ถ•

๐Ÿ”Enforcing image provenance in Kubernetes using Cosign + Sigstore + Kyverno

Matteo Vitali2026๋…„ 5์›” 4์ผ3๋ถ„intermediate

AI ์š”์•ฝ

Context

Mutable Image Tag ์‚ฌ์šฉ์œผ๋กœ ์ธํ•œ ์ด๋ฏธ์ง€ ์ถœ์ฒ˜ ๋ถˆ๋ถ„๋ช… ๋ฐ Registry ๋ณ€์กฐ ์œ„ํ—˜ ์กด์žฌ. Build ํƒ€์ž„๋ถ€ํ„ฐ Runtime๊นŒ์ง€์˜ Trust Gap์œผ๋กœ ์ธํ•ด ๊ฒ€์ฆ๋˜์ง€ ์•Š์€ ์•„ํ‹ฐํŒฉํŠธ๊ฐ€ ํด๋Ÿฌ์Šคํ„ฐ์— ๋ฐฐํฌ๋  ์ˆ˜ ์žˆ๋Š” ๊ตฌ์กฐ์  ํ•œ๊ณ„ ๋ถ„์„.

Technical Solution

  • GitLab CI/CD๋ฅผ Root of Trust๋กœ ์„ค์ •ํ•˜์—ฌ ๋นŒ๋“œ ๋ฐ ์„œ๋ช… ํ”„๋กœ์„ธ์Šค๋ฅผ ๋‹จ์ผ ํŒŒ์ดํ”„๋ผ์ธ์œผ๋กœ ํ†ตํ•ฉ
  • Cosign์„ ํ™œ์šฉํ•ด OCI Registry ๋‚ด ์ด๋ฏธ์ง€์™€ ๋งค์นญ๋˜๋Š” ์•”ํ˜ธํ™” ์„œ๋ช…์„ ์•„ํ‹ฐํŒฉํŠธ๋กœ ํ•จ๊ป˜ ์ €์žฅ
  • Kyverno Admission Controller๋ฅผ ํ†ตํ•œ Pod ์ƒ์„ฑ ๋‹จ๊ณ„์˜ ์‹ค์‹œ๊ฐ„ ์„œ๋ช… ๊ฒ€์ฆ ๋กœ์ง ๊ตฌํ˜„
  • Immutable Digest ๊ธฐ๋ฐ˜์˜ Resolve ๊ณผ์ •์„ ํ†ตํ•ด ํƒœ๊ทธ ๋ณ€์กฐ ๊ฐ€๋Šฅ์„ฑ์„ ์›์ฒœ ์ฐจ๋‹จํ•˜๋Š” ์„ค๊ณ„ ์ฑ„ํƒ
  • ์„œ๋ช…๋˜์ง€ ์•Š์€ ์ด๋ฏธ์ง€๋Š” Admission ๋‹จ๊ณ„์—์„œ ์ฆ‰์‹œ ๊ฑฐ๋ถ€ํ•˜๋Š” Enforce ์ •์ฑ… ์ ์šฉ์œผ๋กœ ๋Ÿฐํƒ€์ž„ ๋ณด์•ˆ ๊ฐ•ํ™”

์‹ค์ฒœ ํฌ์ธํŠธ

1. Mutable Tag ๋Œ€์‹  Immutable Digest ๊ธฐ๋ฐ˜์˜ ๊ฒ€์ฆ ์ฒด๊ณ„ ๋„์ž… ๊ฒ€ํ† 

2. CI/CD ํŒŒ์ดํ”„๋ผ์ธ ๋‚ด Cosign ์„œ๋ช… ๋‹จ๊ณ„๋ฅผ ์ถ”๊ฐ€ํ•˜์—ฌ ์‹ ๋ขฐ ๊ฐ€๋Šฅํ•œ ์ถœ์ฒ˜ ์ •์˜

3. Kyverno ๋“ฑ Admission Controller๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ๋ณด์•ˆ ์ •์ฑ…์„ ๋Ÿฐํƒ€์ž„์ด ์•„๋‹Œ Admission ์‹œ์ ์— ๊ฐ•์ œ

4. ๊ณต๊ฐœํ‚ค ๊ธฐ๋ฐ˜์˜ ๊ฒ€์ฆ ์ธํ”„๋ผ๋ฅผ ๊ตฌ์ถ•ํ•˜์—ฌ Registry ์ž์ฒด์— ๋Œ€ํ•œ ์˜์กด๋„ ์ œ๊ฑฐ

ํƒœ๊ทธ

#Supply Chain Security#OCI Registry#Admission Control#Cosign#Kyverno
์›๋ฌธ ์ฝ๊ธฐ