Categorygithub.com/cerbos/reimage
modulepackage
0.9.2
Repository: https://github.com/cerbos/reimage.git
Documentation: pkg.go.dev
Overview
Versions
1
Dependencies
44
Dependents
1
Files
1.3k SLOC

# README

Re-image

A tool for mass update of images for kubernetes manifests.

This is a Work In Progress, YMMV, configuration and settings may change.

  • Works with helm post-renderer, or arbitrary k8s manifests
  • Check images used by Deployments, StatefulSets, DaemonSets, Cronjobs and Job (or arbitrary objects using jsonpath queries):
    • Exist (prevents deploy of manifests with bad references)
    • Remap tags (e.g latest) to a tag for the explicit digest they currently map to
    • Optionally copy images from third party repositories to known repository
    • Check that image scanning:
      • has completed (with time limited check retry)
      • images have no CVEs above a certain score (with overridable ignore list)
  • Can create GCP BinAuthz attestations for discovered image digests

This is intended to:

  • Prevent deploying assets with un-pullable images
  • Localise images for faster start times
  • Potentially improve availability by reducing runtime third party service dependencies (e.g. Dockerhub)
  • Help with compliance by pulling all images from registries with image scanning
  • Help with the use of in-cluster binary authorization

Renaming / Copying

$ cat manifest.yml | reimage \
  -rename-ignore 'docker.example.com/registry/spitfire/.+$' \
  -rename-remote-path 'docker.example.com/registry/spitfire/imported' \
  > manifest-out.yaml

This will update all the image fields of standard resource types in manifest.yml. All the images matching rename-ignore will be left alone, all other images will be update to exist under the -rename-remote-path repository. The remote path is templateable using -rename-force-digest.

If the images do not exist in the remote repository they will be copied to the new location. If the images have been copied previously this can be disabled by using -no-copy (repository actions can be slow, so this can be a significant speed up).

If -rename-force-digest enabled, the image will first be renamed and copied as above, but will then be transferred into the full resolved digest form. The final mapping (see below), will be from the original name to the full resolved digest form of the renamed image. This ensure in-cluster images are guaranteed stable, and is also required for cluster with an enforced Grafeas/Kritis/BinAuthz image policy.

The following flags control renaming and copying

  -clobber
        allow overwriting remote images
  -no-copy
        disable copying of renamed images
  -rename-force-digest
        the final renamed image will be transformed to digest form before output
  -rename-ignore string
        ignore images matching this expression (default "^$")
  -rename-remote-path string
        template for remapping imported images
  -rename-template string
        template for remapping imported images (default "{{ .RemotePath }}/{{ .Registry }}/{{ .Repository }}:{{ .DigestHex }}")

Supporting Unknown K8S types

If you need to find images in non-standard k8s you can provide rules to reimage to help it find image fields. You can pass these rules using the -rules-config CLI flag.

- kind: ^Prometheus$                     # Regexp matching the k8s Kind of objects
  apiVersion: ^monitoring.coreos.com/v1$ # Regexp matching APIVersion of objects
  imageJSONP:
  - "$.spec.image"                       # JSONP queries that match image fields of a type

Stored Mappings

The mappings that result from the renaming of images can be written to a file, and/r directly to an OCI registry. You can then run reimage again, reading the exact set of mapping generated previously. This ensures that mappings of image tags to digests can be consistent between runs of reimage.

$ # write to a file
$ helm template -write-mappings-file mappings.json -remote-path example.com/registry/imported
$ # write to an image
$ helm template \
  -rename-remote-path 'docker.example.com/registry/spitfire/imported' \
  -write-mappings-img example.com/registry/imported/reimage-mapping:1234 \
  -remote-path example.com/registry/imported

The -mappings-only switches off the default yaml processing, and instead will apply any requested copying, vulnerability checking, and attestation against every image listed in the mappings file.

$ # read image from an image
$ helm template \
  -mappings-only
  -static-mappings-img example.com/registry/imported/reimage-mapping:1234 \
  -remote-path example.com/registry/imported

If vulnerability scanning (see below) is performed when the mappings are being written, the CVEs that exist in an image (but are below the max CVSS score, or explicitly ignored), are included in the image. This makes it easy to audit CVEs for a specific image.

The following flags control mappings usage

  -static-json-mappings-file string
        take all mappings from a mappings file
  -static-json-mappings-img string
        take all mapping from a mappings registry image
  -write-json-mappings-file string
        write final image mappings to a json file
  -write-json-mappings-img string
        write final image mapping to a registry image
  -mappings-only
        skip yaml processing, and image copying,  and just run checks and attestations from images in mappings

Grafeas Vulnerability Checking

Alternatively, reimage can execute any command compatible with trivy's image scanning JSON output to scan images.

alternatively trivy can check for Grafeas Discovery occurrences containing CVE checks for the discovered images. If discovery checking is enabled, but no completed discovery has occurred, reimage will wait for a configurable time. Vulnerability checking is disabled by default, and can be enabled by setting -vulncheck-max-cvss. If you want to scan, but ignore all CVEs, use -vulncheck-max-cvss 11

  -grafeas-parent string
        value for the parent of the grafeas client (e.g. "project/my-project-id" for GCP
  -trivy-command string
        the command to run to retrieve vulnerability scans in trivy's JSON format (the image id will be added as an additional arg (default "trivy image -f json")
  -vulncheck-method string
        force the vulnerability check method, (trivy or grafeas) (default "trivy")
  -vulncheck-ignore-cve-list string
        comma separated list of vulnerabilities to ignore
  -vulncheck-ignore-images string
        regexp of images to skip for CVE checks
  -vulncheck-max-cvss float
        maximum CVSS vulnerabitility score
  -vulncheck-timeout duration
        how long to wait for vulnerability scanning to complete (default 5m0s)

Grafeas Attestation

NOTE: At present, attestation support only works with Google Cloud BinAuthz attestors

reimage can add attestations for the images it has processed. For example, you can create an attestation that shows that images were required for our helm deploys

$  helmfile template --environment=staging | reimage \
     -grafeas-parent projects/my-registry \
     -binauthz-attestor projects/my-registry/attestors/helm-requires

Similarly you can attest that all images have gone to staging (and perhaps have passed integration testing).

$ reimage \
     -mappings-only
     -static-mappings-img example.com/registry/imported/reimage-mapping:1234 \
     -grafeas-parent projects/my-registry \
     -binauthz-attestor projects/my-registry/attestors/cleared-staging

`

# Packages

No description provided by the author

# Functions

CompileJSONImageFinders builds an ImagesFinder than can find image configuration strings from arbitrary unstructured K8S JSON objects, using JSONP queries.
NewHistory starts a history for a given reference.
NewStaticRemapper creates a StaticRemapper.
ProcessK8s runs the Updater for each kubernetes resource found in the file.
ProcessRawYAML runs the Updater for each YAML document.

# Variables

DefaultLogger is a quick shortcut to the slog default logger.
DefaultRulesConfig is a set of additional, non-core rules for known existing image locations.
DefaultTemplateStr is a sensible default for importing images.
ErrAttestationNotFound is return if no attestations are present for a given image digest.
ErrDiscoverNotFinished is returned when Vulnerability checking did not complete in time.
ErrDiscoveryNotFound is returned when no Vulnerability checking Discovery is associated with an image.
ErrSkip if this is returned by ReMap then MultiRemapper will ignore this image and skip further processing.

# Structs

EnsureRemapper is a mapper that will copy the original image reference to the latest, possibly remote, reference.
GCPBinAuthzConcisePayload is a convenient wrapper around GCPBinAuthzPayload it with json.Marshal to a GCPBinAuthzPayload with correctly set Type.
GCPBinAuthzPayload is the mandated attestation note for signing Docker/OCI images for Google's Binauthz implementation.
GrafeasAttester implements attestation creation and checking using Grafaes.
GrafeasVulnGetter checks that images have been scanned, and checks that they do not contain unexpected vulnerabilities.
History is the full set of updates performed so far.
IgnoreRemapper will return ErrSkip for any image name that natches the Ignore regexp.
ImageCheckError is returned by Check if unwanted vulnerabilities are found.
No description provided by the author
JSONImageFinderConfig describes the settings for finding arbitrary image fields in K8S types.
KMS uses Google Cloud KMS to sign and verify data.
QualifiedImage describes an image tag, at a specific digest.
RawYAML is intended to wrap objects that are return from raw YAML unmarshaling the Update method of RenameUpdater will process these by looking for images using FindImages (rather than FindK8sImages).
RecorderRemapper records all remappings up as they are seen.
RenameRemapper is a Remapper implementation that can rename an image to a remote registry/repository path.
RenameUpdater applies the Remapper to all images found in object passed to Update.
RepoTemplateInput is the input provied to the RemoteTmpl of the RepoRemapper.
StaticRemapper is a Remapper implementation that allows statically mapping incoming images to a pre-existing set of known target image names and digests.
No description provided by the author
VulnChecker checks that images have been scanned, and checks that they do not contain unexpected vulnerabilities.
VulnCheckResult is the result of a vulnerability check.

# Interfaces

GrafeasClient still isn't mockable, need to wrap it.
ImagesFinder specifies any mechanism for finding images within any k8s Unstructured data.
Keyer is an interface to a private key, for signing and verifying blobs.
KMSClient describes all the methods we require for a Google compatible signing service.
Logger is a subset of the slog interface.
A Remapper transforms OCI images references, and may perform side effects.
Updater is used by Process search for, and update, images in k8s objects.
No description provided by the author

# Type aliases

ImageSetters is list of one of more Setters.
MultiRemapper applies each remapper, passing results from one to the next.
A Setter is used for setting the string description of an image.