•
Install Cosign
curl -sSL https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64 -o cosign
chmod +x cosign
sudo mv cosign /usr/local/bin/
Shell
복사
aws ecr create-repository \
--repository-name nginx \
--image-scanning-configuration scanOnPush=true \
--region ap-northeast-2
Shell
복사
sudo yum install docker -y
sudo systemctl start docker
sudo chmod 666 /var/run/docker.sock
Shell
복사
docker pull nginx:1.14.2
aws ecr get-login-password --region ap-northeast-2 | docker login --username AWS --password-stdin <account_id>.dkr.ecr.ap-northeast-2.amazonaws.com
docker tag nginx:1.14.2 <account_id>.dkr.ecr.ap-northeast-2.amazonaws.com/nginx:1.14.2
docker push <account_id>.dkr.ecr.ap-northeast-2.amazonaws.com/nginx:1.14.2
Shell
복사
•
Generate Key
cosign generate-key-pair
Shell
복사
•
Sign Image
cosign sign --key cosign.key <account_id>.dkr.ecr.ap-northeast-2.amazonaws.com/nginx:1.14.2
Shell
복사
•
private key에 위에서 지정한 비번 넣는다.
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: verify-ecr-signed-images
spec:
validationFailureAction: Enforce
background: true
rules:
- name: require-signed-ecr-images
match:
resources:
kinds:
- Pod
- Deployment
verifyImages:
- image: "*"
key: |
-----BEGIN PUBLIC KEY-----
cosign.pub 내용 복사
-----END PUBLIC KEY-----
YAML
복사
kubectl apply -f kyverno.yaml
Shell
복사
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
YAML
복사
kubectl apply -f nginx.yaml
Shell
복사
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
labels:
app: nginx
spec:
replicas: 3
selector:
matchLabels:
app: nginx
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: <your_ecr_image>
ports:
- containerPort: 80
YAML
복사
kubectl apply -f test.yaml
Shell
복사
