[TrustTask] Trusted taskspec verification

[Yongxuanzhang]

Changes

This commit is an initial step of work for Trust Task.(Forked from tektoncd/community#537)

Prior this commit we cannot verify if the taskrun is manipulated or not before applying to the cluster.

This commit leverages cosign to do verification on taskspec. Admission webhook and verification on taskrun.spec will be introduced in following PRs. With these work we can deploy a standalone webhook for verification without changing current Tekton Pipeline APIs.

Submitter Checklist

These are the criteria that every PR should meet, please check them off as you
review them:

• Includes docs (if user facing)
• Commit messages follow commit message best practices
• Commit messages includes a project tag in the subject - e.g. [OCI], [hub], [results], [task-loops]

See the contribution guide
for more details.

[imjasonh]

Can you elaborate on this? Is there a doc or issue I can read to catch up on the goal of this project? It sounds very interesting 👍

[Yongxuanzhang]

Yes! This is proposed by @wlynch. The idea is to allow users to install/deploy a webhook in current tekton pipeline, where we can verify the remote resources (taskrun, pipelinerun, oci bundle etc.) with Cosign.
Maybe he can share the doc with you?

[wlynch]

super rough notes here: https://hackmd.io/93mfJPyDQKCyn0IKwjzgWQ#Design-Details - tl;dr it's basically a modification of Jason's original trusted task TEP, but using validation webhooks so we can prototype something before needing to make modifications to the Pipelines API.

[wlynch]

Initial pass - probably more to dig into but waiting on some of the structural changes to be made to simplify some of the impl.

[wlynch]

It's useful to have tests for both individual funcs (e.g. just the signature generation, etc.) as well as the overall verification. This way it's easier to figure out where exactly changes have been made if/when something breaks.

[Yongxuanzhang]

sure!

[Yongxuanzhang]

/test tekton-experimental-unit-tests

[afrittoli]

This is copy/paste from pipeline in pipeline?

[Yongxuanzhang]

yes, I will update them!

[wlynch]

I still need to go over tests, but this should get you started. I'd recommend breaking this up into 2 PRs:

1. Add TaskRun validation / signature checking libraries.
2. Creating AdmissionWebhook.

[wlynch]

I think this should be handled by knative (e.g. this is just duplicate of https://github.com/knative/pkg/blob/4fcbc1bc12e800965853ec9d6eafd293c2ae347a/webhook/resourcesemantics/validation/reconcile_config.go)?

[wlynch]

After reading through this and the other file, I think I get what you're trying to do here.

Instead of forking the resourcesemantics code, I think what we should try to do is lean on the handlers field and inject our own Validatable object.

e.g. I'm thinking something like...

func New(...) *controller.Impl {
	return validation.NewAdmissionController(ctx,
		"webhook.trustedtasks.tekton.dev",
		"/resource-validation",
		
		// List the types to validate, this from knative.dev/sample-controller
		map[schema.GroupVersionKind]resourcesemantics.GenericCRD{
			v1beta1.SchemeGroupVersion.WithKind("TaskRun"): &trustedTaskRun{},
		},

		nil,
		true,
	)
}

type trustedTaskRun = v1beta.TaskRun

func (*trustedTaskRun) Validate(ctx context.Context) {
	// validate here
	...
}

func (*trustedTaskRun) SetDefaults(ctx context.Context) {
	// Purposely do nothing
}

I think this should do what we want, but still let us rely on the knative controller code for cert management and webhook setup. We could also look into the callbacks field if handlers doesn't quite fit what we want.

[wlynch]

And if we're still stuck we can always reach out to the Knative folks on slack. 😃

[Yongxuanzhang]

Ah this looks interesting, but when we call the validate in webhook, how do we make sure it is calling this Validate not the one we have in v1beta.TaskRun?

and this code will get
invalid receiver type *"github.com/tektoncd/pipeline/pkg/apis/pipeline/v1beta1".TaskRun (type not defined in this package)

Do you mean something like this? (I tried to correct some syntax error but not sure if this is what we want)

type trustedTaskRun struct{
	v1beta1.TaskRun
}
func (tr *trustedTaskRun) Validate(ctx context.Context) (errs *apis.FieldError){
	// validate here
	fmt.Println("!!!! validate new")
	return nil
}

func (tr *trustedTaskRun) SetDefaults(ctx context.Context) {
	// do nothing
	fmt.Println("!!!! set defaults new")
}

[Yongxuanzhang]

This is resolved and can refer to this repo:
https://github.com/knative-sandbox/net-istio/blob/edc2d2a327/pkg/defaults/deployment_defaults.go

[wlynch]

Are we sure this will always be SHA256?

[Yongxuanzhang]

I also doubt there, this code is from chains...
https://github.com/tektoncd/chains/blob/122fe23242fd185c642fb82c042ef710de35850d/pkg/chains/signing/kms/kms.go#L41

[wlynch]

A local path on a remote resource is problematic, since this depends on the remote state to match what was done locally at signing.

This might make more sense if this was a reference to a secret?

[Yongxuanzhang]

refactored this a little bit

[wlynch]

I'd have 2 versions of this - one that's completely in memory and one that writes out the file. For most of the verify funcs, we can actually just generate the keys in memory and pass back a SignerVerifier. It's only for testing the e2e flows when reading from a file that we need to write this out.

[Yongxuanzhang]

not sure why this doesn't work, the error msg is
"Unable to fetch github.com/tektoncd/pipeline/pkg/client/resource/clientset/versioned.Interface from context. This context is not the application context (which is typically given to constructors via sharedmain).")

[wlynch]

Client injection needs to be done somewhere - typically this would be done by the sharedmain func in the controller, but in the unit test you need to do this yourself.

Luckily, knative client-gen gives us an easy solution for this! If you use this package instead of the normal fake client, it should work. https://pkg.go.dev/github.com/tektoncd/pipeline@v0.33.1/pkg/client/injection/client/fake

[Yongxuanzhang]

/assign @wlynch

[wlynch]

Client injection needs to be done somewhere - typically this would be done by the sharedmain func in the controller, but in the unit test you need to do this yourself.

Luckily, knative client-gen gives us an easy solution for this! If you use this package instead of the normal fake client, it should work. https://pkg.go.dev/github.com/tektoncd/pipeline@v0.33.1/pkg/client/injection/client/fake

[wlynch]

Also make sure to add a line here so that this can be included in presubmit tests -

experimental/test/presubmit-tests.sh

Line 61 in 2d43123

projects="cel commit-status-tracker generators helm hub oci pipeline/cleanup pipelines-in-pipelines pipeline-to-taskrun tekdoc task-loops notifiers/github-app cloudevents"

[wlynch]

Looking good! Few more small comments.

[wlynch]

My rule of thumb is - "would this be useful for a random person reading this in the logs with little/no context, or would this just be noise?"

Sometimes it means adding some more details / identifiers to be able to see what is going on with multiple requests.
Sometimes it's redundant and it's easiest to just remove them.

No wrong answer here, as long as we're being intentional about it! Use your best judgement.

[wlynch]

The thinking was we don't actually need the k8sclient - it's just a means to create the k8schain which eventually becomes an Option, so we can just plumb it all the way through.

It's not that big of a deal though. We can ignore this for now.

[wlynch]

Looking good! Please update the commit message / PR description to describe the changes we're making in this PR - see https://github.com/tektoncd/community/blob/main/standards.md#commits

[wlynch]

README needs to be updated, since the config files don't actually exist yet.

[wlynch]

Yay tests! This makes it much easier to see what is going on.

I'm okay with this as a first pass, but we'll want to address this in another PR.

As is, this is setting the signature of the TaskRun as the signature of the underlying Task - this means that you can actually tamper the TaskRun and still pass validation if you do something like...

apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
  name: read-repo-run
spec:
  taskRef:
    name: foo
  params:
-    bar: asdf
+    bar: <bad modified thing>

Since the signature is only capturing the TaskRef Task and not the entire TaskRun spec. This is also true for OCI and TaskSpec variants.
This would make sense as an annotation for the Task itself though!

[Yongxuanzhang]

Ah yes, so we should not only verify the embedded tasks but also the taskrun.spec.

[wlynch]

Almost there! One last thing - thanks for updating the PR message, but it looks like the commit message body is still empty. Can you add the commit description there as well? Thanks!

[wlynch]

/lgtm

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wlynch

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• pipeline/trusted-resources/OWNERS [wlynch]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wlynch]

/lgtm