Important
As with all Azure deployments, this will incur associated costs. Remember to teardown all related resources after use to avoid unnecessary costs.
Within this walkthrough, the following will be accomplished:
- Azure resources will be provisioned and configured.
- A GitHub Actions workflow will be configured. In this workflow, three workloads will be built, and pertinent security artifacts will be generated.
- Upon deployment:
- One workload fails due to lack of security artifacts.
- The second workload fails because its security artifacts do not meet policy expectations.
- The third and final workload will pass policy checks and deploy successfully.
Important
This walkthrough describes one approach to ensuring the security and integrity of containerized workloads. It should be viewed as a pathway to potential success rather than a definitive template.
Note
Assumptions:
- Workflows are enabled. The Actions tab in the GitHub UI will provide instructions how to do so.
- GitHub Environments are available. This feature requires either the repository is public or the user account has GitHub Pro, GitHub Team, or GitHub Enterprise.
Custom variable values scoped to the current environment will be needed to complete steps in the walkthrough. A configuration file template will be used to allow for customization and persistance of these values. A configuration file should be created by running the following:
cp ./config/github/.configtemplate ./config/sssc.configAfter the configuration file is created it will have to be modified for the current environment. Open the configuration file ./config/sssc.config and populate and/or update all of the applicable variables. For details on configuration values, see the table below.
Warning
When populating values do not use single quotes. If values contain spaces, use double quotes.
| Variable name | Required | Description | Default Value |
|---|---|---|---|
| AZURE_SUBSCRIPTION_ID | No | The Azure subscription used for resource provisioning | The default Azure subscription |
| GITHUB_REPO | Yes | <github-org/repo-name> | |
| AZURE_LOCATION | Yes | Azure location to provision resources. | eastus |
| PROJECT | No | String used as prefix to names of Azure resources and GitHub environment. This should be limited to 10 lowercase alphanumeric characters. | ssscsample |
| GATEKEEPER_VERSION | Yes | Gatekeeper version to deploy. | 3.14.0 |
| RATIFY_VERSION | Yes | Ratify version to deploy. | 1.12.1 |
| KUBERNETES_VERSION | Yes | Kubernetes version to use for created AKS instance. | 1.27.7 |
| GIT_BRANCH | Yes | This will be used to indicate where the workflow YAML file can be found as well as when programmatically kicking off the workflow | main |
| TAGS | No | If there is policy for your Azure subscription requiring tags, provide them formatted as TagName=TagValue. Otherwise, leave as-is. |
Authenticate to Azure using the Azure CLI.
The following script will validate all required tooling has been installed. There will be no output to the terminal if no issues are found.
./scripts/setup/verify_prerequisites.shInitialize the local environment by generating an env file which will be created at the following location ./scripts/config/sssc.env. The sssc.env file will be created using the values from the earlier configured file ./config/sssc.config and be updated automatically as needed throughout the walkthrough.
./scripts/setup/init_environment.shTo leverage the GitHub CLI authentication will be required. Follow these instructions for authenticating to GitHub.
All of the necessary resources can now be provisioned. Azure resources will be provisioned and configured as described in provisioned infrastructure.
Run the following script which will provision and configure all of the required infrastructure.
Note
This script will output status details to the terminal as it progresses. Wait until the script executes successfully to completion before moving onto creation and configuration of the GitHub workflow.
./scripts/infra/provision.shRun the following script to create a new GitHub Actions workflow and environment. This workflow will be responsible for building/generating, signing and pushing artifacts which are used later in the walkthrough.
Note
This script will output status details to the terminal as it progresses. Wait until the script executes successfully to completion before moving onto running the workflow.
./scripts/pipelines/github/provision.shImportant
Three sample applications, Trips, POI and User Profile, will be referenced through this walkthrough. These applications have no significance for the walkthrough other than being used for AKS workload deployments and a source for the creation of security artifacts.
Pipeline execution will produce the following artifacts for the previously mentioned sample applications:
For the Trips application:
- The image is built, pushed to ACR and signed.
- An SBOM is generated, attached to the image and signed.
- The image and code are scanned for vulnerabilities.
- The aggregated vulnerability scan result is attached to the image with OCI annotation
org.opencontainers.image.createdset to the current date and time and signed.
For the POI application:
- The image is built and pushed to ACR.
For the User Profile application:
- The image is built, pushed to ACR and signed.
- An SBOM is generated, attached to the image and signed.
- The image and code are scanned for vulnerabilities.
- The aggregated vulnerability scan result is attached to the image with OCI annotation
org.opencontainers.image.createdset to two days ago and time and signed.
Note
The key used to sign the Trips image and its artifacts differs from that used for the User Profile and its artifacts. Although both were signed by the same Certificate Authority (CA), they have different Subjects.
Trigger the workflow by executing the following script. Once the workflow has started, the status can be viewed in GitHub UI in the Actions tab.
./scripts/pipelines/github/execute_github_workflow.shIf manually triggering the workflow in the GitHub UI is preferred, a value for input 'Environment name' is required. The value can be found in the env variable GITHUB_DEPLOYMENT_ENV_NAME which can be retrieved by running:
. ./config/sssc.env && echo $GITHUB_DEPLOYMENT_ENV_NAMEImportant
Ensure the workflow has successfully completed before continuing to the View artifacts. The status can be viewed in GitHub in the Actions tab.
