appvia/cosign-keyless-admission-webhook

GitHub: appvia/cosign-keyless-admission-webhook

一个Kubernetes准入Webhook，通过cosign无密钥验证镜像签名，确保只有可信来源的镜像才能部署。

Stars: 24 | Forks: 1

# Cosign 无密钥 Kubernetes 准入 Webhook [![构建](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/4876a23b65181514.svg)](https://github.com/appvia/cosign-keyless-admission-webhook/actions/workflows/ci.yml) [![安全扫描](https://static.pigsec.cn/wp-content/uploads/repos/2026/06/fc48e6c3f5181521.svg)](https://github.com/appvia/cosign-keyless-admission-webhook/actions/workflows/security.yml) [![GitHub 问题](https://img.shields.io/github/issues/appvia/cosign-keyless-admission-webhook.svg)](https://github.com/appvia/cosign-keyless-admission-webhook/issues) [![GitHub 复刻](https://img.shields.io/github/forks/appvia/cosign-keyless-admission-webhook.svg)](https://github.com/appvia/cosign-keyless-admission-webhook/network) [![GitHub 星标](https://img.shields.io/github/stars/appvia/cosign-keyless-admission-webhook.svg)](https://github.com/appvia/cosign-keyless-admission-webhook/stargazers) [![GitHub 许可证](https://img.shields.io/badge/license-MIT-blue.svg)](https://raw.githubusercontent.com/appvia/cosign-keyless-admission-webhook/main/LICENSE) ## 安装说明 ``` # 如果你还没有 cert-manager kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml kubectl apply -k https://github.com/appvia/cosign-keyless-admission-webhook ``` ## 使用说明在 Pod 规范中，设置注解 `subject.cosign.sigstore.dev/CONTAINER_NAME`^\* 为证书的主题，同时设置 `issuer.cosign.sigstore.dev/CONTAINER_NAME`^\* 为签发者（Issuer）。 ### 完整示例 ``` apiVersion: v1 kind: Pod metadata: annotations: subject.cosign.sigstore.dev/demo: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main issuer.cosign.sigstore.dev/demo: https://token.actions.githubusercontent.com subject.cosign.sigstore.dev/demoagain: https://github.com/chrisns/cosign-keyless-demo/.github/workflows/ci.yml@refs/heads/main issuer.cosign.sigstore.dev/demoagain: https://token.actions.githubusercontent.com name: cosign-keyless-demo spec: containers: - image: ghcr.io/chrisns/cosign-keyless-demo:latest name: demo - image: ghcr.io/chrisns/cosign-keyless-demo:latest name: demoagain ``` ## 🚨🚨🚨 为何这可能对您无效 🚨🚨🚨 - 至少开箱情况下，对于私有仓库或仅需要认证的仓库无效，您需要将凭据连接到部署的 secrets 中。

标签：APT组织, cert-manager, Cosign, GitHub Actions, MIT许可, PyVis, Sigstore, Web截图, 准入控制器, 子域名突变, 安全策略, 容器安全, 开源框架, 抽象层, 持续集成, 提示词设计, 无密钥签名, 日志审计, 自动笔记, 自定义脚本, 镜像签名, 镜像验证