[TEP-0091]Trusted Resources

[Yongxuanzhang]

This commit proposes one solution to veriy the Tekton Resources via
admission webhook. It aims at starting the discussion on this work and
drives the Trusted Resources launched to Alpha.

This is a fork of #537 and work from @wlynch, and adapt it based on the poc in https://github.com/tektoncd/experimental/tree/main/pipeline/trusted-resources

[Yongxuanzhang]

@wlynch @dibyom Looking forward to your comments!

[jerop]

/kind tep

[dibyom]

/assign @wlynch
/assign @dibyom

[dibyom]

/assign @afrittoli

[ywluogg]

@ywluogg

[wlynch]

Looks good! Just a few minor comments.

[wlynch]

fwiw, if we're adding this to Pipelines I wouldn't be opposed to adding this to the existing validation webhook. The separate webhook we were using in experimental was primarily to allow optional installation.

(that said, also fine to ship the second webhook to start if that simplifies things)

[Yongxuanzhang]

Oh ok. So should I include both options?

1. Add into existing webhook
2. Add a new webhook

[dibyom]

yeah packaging the new webhook into the pipeline webhook binary should be straightforward.

[Yongxuanzhang]

Ok got it!

[Yongxuanzhang]

I changed this section to add the verification into current admission webhook, and it should be gated by a new configmap.

[wlynch]

We should be careful not to expose new types to the users if we can avoid it - we should try to unexport these / put into an internal package if possible for the real impl.

[Yongxuanzhang]

you mean add all the stuff into existing tekton pipeline?

[Yongxuanzhang]

if we integrate into the pipeline then this shouldn't be a problem. I have changed the tep to propose to add to the pipeline

[wlynch]

We should be careful not to place too much trust into this option, since it can be mutated later by another user later on.

[wlynch]

If possible, could this be added to the status so that the data can be signed by SPIFFE/SPIRE?

[Yongxuanzhang]

We should be careful not to place too much trust into this option, since it can be mutated later by another user later on.

Oh yes, so for status did you mean this?https://github.com/tektoncd/pipeline/blob/6876520132f3bb22ff076e6a223b7114e936c611/pkg/apis/pipeline/v1beta1/taskrun_types.go#L120-L125

[Yongxuanzhang]

Updated the tep to propose adding a field under TaskRunStatus, and add the result into this new field

[wlynch]

3rd option - you might also be interested in returning a warning response for failure for non-enforced validation. https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#response

[Yongxuanzhang]

is it something we can do within knative's admission webhook?

[dibyom]

Not 100% sure but I think this might be possible by setting the DiagnosticLevel when retuning an apis.FieldError from the webhook validation

[Yongxuanzhang]

This is supported in knative 3 months ago. knative/pkg#2498
Just check the code pipeline is not updated to include this change but operator does.
I can update this in the tep

[pritidesai]

API WG - @dibyom is still reviewing and can merge offline - proposed TEP with PoC in experimental repo.

[dibyom]

Do you have a rough estimate of how long the resource fetch takes?

[Yongxuanzhang]

I don't have right now. It will depend on how revolver work and also what remote source we are fetching. For now I can make some experiment, like for the OCI case, if I pull it from docker hub, how long it will take. To get a rough estimate of it!

[Yongxuanzhang]

Tested a simple task oci bundle fetching from docker hub and the time is very short, can be ignored.

[dibyom]

I'm still a bit worried about the remote artifact fetch particularly if this is done as a validation webhook and uses remote resolution - that would involve the webhook creating a ResolutionRequest CR, waiting for the Resolver to finish resolving, and making a validation decision.

(One mitigation would be to do this verification in the reconciler (or the resolver) instead of in the admission webhook)

[Yongxuanzhang]

Yes, and this also needs to give webhook the permission to fetch the tasks/pipelines. It's not so difficult to do it after resolution.

[afrittoli]

How would this work with a validation webhook and remote resources?
Would the validation webhook apply to the TaskRun / PipelineRun? That would mean that both the webhook and controller would have to fetch remote resources, unless the controller would have a way to use the resources fetched by webhook.

[Yongxuanzhang]

How would this work with a validation webhook and remote resources? Would the validation webhook apply to the TaskRun / PipelineRun? That would mean that both the webhook and controller would have to fetch remote resources, unless the controller would have a way to use the resources fetched by webhook.

Yes you're right that both the webhook and controller would have to fetch remote resources if this feature is enabled and we want to have the verification in webhook.

Another option is that we can integrate the verification together with remote resolution, either in the reconciler after resolving or in the resolver.

[wlynch]

Something to balance when thinking about webhook vs reconcile validation - validation before admission is the safer strategy because the resource can be blocked before downstream informers are aware of them.

Other OCI based policy webhooks (OPA, Kyverno, sigstore/policy-controller) seem to do fine with network based lookups at admission time, though I get we also want to dedup fetching efforts between this and RemoteResolution.

If we go down the reconcile validation path, we should be careful about documenting when resources are considered trusted and how that information is exposed to users in the Run status (e.g. it might be worth having a dedicated termination status marking a Run as unverified?). Even then, there may still be some utility in a webhook based validation to make sure that the Run object itself hasn't been tampered with. 🤔

[dibyom]

Agreed with the caveats around reconciler based validation but I do think there is (or will be) a difference in the remote fetch between this webhook and OPA/policy controller - with remote resolution for resource fetches, the webhook will have to create a custom resource and then watch for update to its status as opposed to a sync HTTP request/response

[dibyom]

Wouldn't another mitigation be moving the verification from the webhook to the reconciler?

[Yongxuanzhang]

Correct me if I'm wrong.
If we move it to the reconciler, for local tasks/pipelines they still need to go through mutating webhook. And the content may be changed. The flow is:
mutating -> validation -> reconciler

[Yongxuanzhang]

I can do some research this week and see if there are better ways!

[dibyom]

You are right. One option is that we apply the SetDefaults() each time on reconcile instead of at admission time (so the object stored in etcd is not mutated)

Another possibility might be having the CLI that is doing the signing make a dry-run call to the API server to get the resource defaults set and sign that https://kubernetes.io/docs/reference/using-api/api-concepts/#dry-run

[Yongxuanzhang]

Oh thanks!
The dryrun is really helpful, Billy just also mentioned this.
Right now it is similar that I add call setdefaults during signing, the benefit is that it will not depend a running cluster, but it cannot guarantee that the setdefault is the same as the cluster's tekton. So I think what you're suggesting is better!

[wlynch]

+1 for moving defaults to the reconciler - the less we mutate the config before verification the better.

[Yongxuanzhang]

+1 for moving defaults to the reconciler - the less we mutate the config before verification the better.

I think people may not like this idea but I will keep this as an option. Because it is kind of against the original desgin of admission webhooks? That is all the request objects need to be mutated and then validate, and some validating logic assume that this object must be mutated.

We encountered some issues recently that resources not go through the mutating will fail in validating.
If we move mutating into reconciler then what stored in etcd is not mutated and fully validated.

If we can do verification->mutating->verification then it may be better?

[dibyom]

yeah packaging the new webhook into the pipeline webhook binary should be straightforward.

[dibyom]

Not 100% sure but I think this might be possible by setting the DiagnosticLevel when retuning an apis.FieldError from the webhook validation

[dibyom]

This sounds good to me @Yongxuanzhang -- have a couple of questions. I think once you squash the 2 commits, we can merge this.

[Yongxuanzhang]

Hi @wlynch @dibyom, I went through the comments of this tep,
So from your comment, we can add this into the current pipeline's webhook.
I have 2 questions regarding direction.

1. Do we need to worry about introducing more dependency into the pipeline? cosign and sigstore will be added into the go.mod, not sure if that is ok. But since SPIFFE/SPIRE also integrate into the pipeline, maybe that is fine?
2. We have the command line code for singing the yaml files. Where is the best place to put them? Under pipeline/cmd?

[Yongxuanzhang]

Hi @wlynch @dibyom, I went through the comments of this tep, So from your comment, we can add this into the current pipeline's webhook. I have 2 questions regarding direction.

1. Do we need to worry about introducing more dependency into the pipeline? cosign and sigstore will be added into the go.mod, not sure if that is ok. But since SPIFFE/SPIRE also integrate into the pipeline, maybe that is fine?
2. We have the command line code for singing the yaml files. Where is the best place to put them? Under pipeline/cmd?

1. The TEP is adjusted to add into Tektoncd/Pipeline
2. The signing can go to cmd, there is another tep before discussing adding sign/verify into tkn. This can be also considered

[dibyom]

Do we need to worry about introducing more dependency into the pipeline? cosign and sigstore will be added into the go.mod, not sure if that is ok. But since SPIFFE/SPIRE also integrate into the pipeline, maybe that is fine?

I think this is ok. If we really have to, it should be straightforward to split off into its own binary

We have the command line code for singing the yaml files. Where is the best place to put them? Under pipeline/cmd?

I think eventually this should make it into tkn

[dibyom]

Are you leaning towards one of these options at the moment?

[Yongxuanzhang]

Right now the implementation is based on callbacks in validation webhook of pipeline. I think the benefit of having it in webhook is that we can fail the run/build instantly when it fails the verification.

I discussed the integration with remote resolution in one of the working groups before, and Priti suggested me to wait until the remote resolution come to beta version.

[dibyom]

I think this good to merge as proposed though we should decide if it makes sense to support remote resources verification via a webhook or not.

/approve

[afrittoli]

Thanks for this.

I think there are still some details to be fleshed out, but it looks good for "proposed" status, this is definitely a capability we should have.

/approve

[afrittoli]

Is this sentence still up to date? An admission controller might not work for remote resources?

[Yongxuanzhang]

Thanks!

1. Right now it is not necessarily a new admission webhhook, after some experiments last week we can just add some new callbacks into Pipelines's validating webhook to do the verification. I will update the tep.
2. Correct me if I'm wrong, Admission controller should be able to fetch remote resources just like what we do in reconciler, right now the implementation can fetch the oci bundles using k8schain?

[afrittoli]

What are "builder images"? Are these the images used in the steps? If so, I would recommend to stick to the standard Tekton nomenclature to avoid confusion, and define any new nomenclature that needs to be introduced.

[Yongxuanzhang]

Yes, it refers to the step images. So should I use step images?

[afrittoli]

I think it would be good to expand on "the" private key.
Where does this key come from, what role does an author need to have to have access to a private key and sign resources, do we trust all signed resources or can specify a set of trusted signing keys?

[Yongxuanzhang]

Thanks! This is a great point.
The current idea/assumption is that, the private keys should come from the users who want to use this feature. So it is quite flexible that some users can have their own private keys and publish the public keys. Tektoncd or pipeline doesn't provide private keys right now.

[Yongxuanzhang]

If this makes sense, I can expand this section to clarify. Of if you have any other suggestions pls let me know. 😄

[wlynch]

possibly just a phrasing thing? the use of "the private" makes it sound like there's a preexisting key that users should use, when really IIUC this is just an arbitrary key pair under the users control?

Suggested change

	outputs to be trusted so that provenance attestations can be confidently made. The author will use the private key to sign the Resource and signatures are stored in `Annotations` map of the Resource. Public keys are stored as secrets or via URI stored in the configmap. Similar mechanism is used in [Chains](https://github.com/tektoncd/chains).
	outputs to be trusted so that provenance attestations can be confidently made. The author will use their own public/private key pair to sign the Resource and signatures are stored in `Annotations` map of the Resource. Public keys are stored as secrets or via URI stored in the configmap. Similar mechanism is used in [Chains](https://github.com/tektoncd/chains).

[wlynch]

actually reading on below with the configmap, might need some more clarification

[afrittoli]

Will the deployment be on by default and enforcement controlled via configuration?
Any implication on the operator here?

[Yongxuanzhang]

Will the deployment be on by default and enforcement controlled via configuration?

This will be gated by alpha and a new configmap, and by default it should just skip the verification. This section is not updated and I will update right now!

[afrittoli]

How would this work with a validation webhook and remote resources?
Would the validation webhook apply to the TaskRun / PipelineRun? That would mean that both the webhook and controller would have to fetch remote resources, unless the controller would have a way to use the resources fetched by webhook.

[afrittoli]

Not all Tekton resources are installed on the cluster, so the admission webhook will not catch remote resources and OCI bundles.

[Yongxuanzhang]

Yeah that's what we want to include in this verification process, we need to fetch these resources

[afrittoli]

Which webhook does this refer to?

[Yongxuanzhang]

This is the current validating webhook. I just updated it.

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: afrittoli, dibyom, wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• teps/OWNERS [afrittoli,dibyom,wlynch]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wlynch]

+1 for moving defaults to the reconciler - the less we mutate the config before verification the better.

[wlynch]

possibly just a phrasing thing? the use of "the private" makes it sound like there's a preexisting key that users should use, when really IIUC this is just an arbitrary key pair under the users control?

Suggested change

	outputs to be trusted so that provenance attestations can be confidently made. The author will use the private key to sign the Resource and signatures are stored in `Annotations` map of the Resource. Public keys are stored as secrets or via URI stored in the configmap. Similar mechanism is used in [Chains](https://github.com/tektoncd/chains).
	outputs to be trusted so that provenance attestations can be confidently made. The author will use their own public/private key pair to sign the Resource and signatures are stored in `Annotations` map of the Resource. Public keys are stored as secrets or via URI stored in the configmap. Similar mechanism is used in [Chains](https://github.com/tektoncd/chains).

[wlynch]

This will be difficult to support for multiple keys. You'll probably want a policy configuration similar to https://github.com/sigstore/policy-controller.

[Yongxuanzhang]

oh thanks!

[Yongxuanzhang]

Just checked this repo. So ClusterImagePolicy is actually a new CRD created? Maybe to support multiple keys we can also have a new keyref type in tekton?

[wlynch]

Something to balance when thinking about webhook vs reconcile validation - validation before admission is the safer strategy because the resource can be blocked before downstream informers are aware of them.

Other OCI based policy webhooks (OPA, Kyverno, sigstore/policy-controller) seem to do fine with network based lookups at admission time, though I get we also want to dedup fetching efforts between this and RemoteResolution.

If we go down the reconcile validation path, we should be careful about documenting when resources are considered trusted and how that information is exposed to users in the Run status (e.g. it might be worth having a dedicated termination status marking a Run as unverified?). Even then, there may still be some utility in a webhook based validation to make sure that the Run object itself hasn't been tampered with. 🤔

[Yongxuanzhang]

@jagathprakash

[Yongxuanzhang]

Summarize some discussions here cuz it may be difficult to track new replies:
Where should we do the verification?

1. Validating webhook: Fail fast of the resources but will need to do dup work of resources resolution.
2. Reconciler: The tampered resources may be persistent in storage, but no dup work no extra cost.
3. Mutating Webhook and Validating webhook: Mutating Webhook first verify, and mark the taskrun as fail or pass, later validating webhook can check and reject it. (Optional: The mutating webhook can also resign the resources via the private keys, so if there are case for multiple mutating webhook, they can be verified again. )

I personally prefer to do the verification in admission webhooks, so that we can make sure the resources who are not trusted be kept out of the gate.

[Yongxuanzhang]

How to avoid the impact from mutating webhooks to the verification, this is only a concern for local resources, those who are applied in. cluster:

1. Mitigation methods: call setdefaults when signing the yaml files, every time we bump the pipeline version or change the mutating webhooks, users may need to resign the files again.
2. Move mutating webhook into reconciler: The flow will be Validating+Verification -> Reconcile (Mutating+Validation). There are some validation logic based on mutating webhook. So this means we need to decouple this dependency.
3. Do verification in mutating webhook before all the mutations.

[dibyom]

@Yongxuanzhang thanks for the summary. Very helpful. Do you want to add these open questions to the TEP and we merge this PR or should we keep discussing those options on this PR itself? (I think I have a preference for the first option)

[Yongxuanzhang]

Where should we do the verification?

1. Validating webhook: Fail fast of the resources but will need to do dup work of resources resolution.
2. Reconciler: The tampered resources may be persistent in storage, but no dup work no extra cost.
3. Mutating Webhook and Validating webhook: Mutating Webhook first verify, and mark the taskrun as fail or pass, later validating webhook can check and reject it. (Optional: The mutating webhook can also resign the resources via the private keys, so if there are case for multiple mutating webhook, they can be verified again. )

Thank you! @dibyom 😄 I have included them and updated this PR. Maybe we can merge it first!

[dibyom]

/lgtm