Supply Chain Admission Policies

Learn how to create, assign, and monitor Supply Chain Admission Policies in Sysdig Secure to enforce image-signing and compliance best practices.

Create and Assign Policies

To create and assign Supply Chain Policies for evaluation with the Sysdig Admission Controller, see Supply Chain Policies.

When creating a Supply Chain Policy, validate the rules and scopes in a lower-tier or non-production environment before deployment.
Testing policies beforehand helps prevent workload disruptions in production environments.

Supply Chain Events

You can observe Supply Chain Admission Control events in two locations within the Sysdig Secure platform:

  • The command-line interface (CLI) where the action was performed.
  • The Events Feed.

For use cases, see Use Cases and Examples.

Use Cases and Examples

The following examples demonstrate how you can use the Sysdig Admission Controller to enforce organizational best practices through Supply Chain Policies.

Validate Image Signatures for Workloads Outside the kube-system Namespace

Using the Sysdig Image Signature Validation policy, you can deny the use of unsigned or unverified container images outside system namespaces such as kube-system, where Kubernetes deploys its core components. To validate image signatures for all other namespaces, do the following:

  1. In the Sysdig Secure UI, go to Policies > Supply Chain and create a Sysdig Image Signature Validation policy with the following configuration:

    • Name: Block Unsigned Images in Non System Namespace
      Provide an optional description.
    • Validation Method: Choose the method that matches your signing model, and enter the required details.
    • Scope: Under the Scopes section, select kubernetes.namespace.name.
    • Operator: Set to not in.
    • Value: Enter kube-system or any other namespace used for Kubernetes core functionality.
    • Action: Select Reject Image.

  2. Save the policy and test it by deploying a non-compliant workload. Observe the failures in both the CLI output during kubectl execution and in the Events Feed.

CLI Example

kubectl create deployment webapp-example --image=httpd:latest -n kube-system -f httpd-server.yaml

error: failed to create deployment: admission webhook "vac.secure.sysdig.com" denied the request: 
Error from server: error when creating "httpd-server.yaml": admission webhook "vac.secure.sysdig.com" denied the request: 
[Supply Chain Engine] Failed checks for container httpd-server. Failing policies: [Block Unsigned Images in Non System Namespace]
Violations:
x failed to verify log inclusion: not enough verified log entries from transparency log: 0 < 1

Events Feed Example