Getting Started
Note You can follow this interactive tutorial to get started with Ratify within 5 minutes in an online playground.
Try out ratify in Kubernetes through Gatekeeper as the admission controller.
Prerequisites:
- Kubernetes v1.20 or higher
- OPA Gatekeeper v3.10 or higher
- helmfile v0.14 or higher. For production use and if you would like to avoid automatic installation of resources using helmfile, please refer to ratify-quickstart-manual.md for manual install steps.
Step 1: Install Gatekeeper, Ratify, and Constraints
helmfile sync -f git::https://github.com/deislabs/ratify.git@helmfile.yaml
Step 2: See Ratify in action
Once the installation is completed, you can test the deployment of an image that is signed using Notation solution.
- This will successfully create the pod
demo
kubectl run demo --image=ghcr.io/deislabs/ratify/notary-image:signed -n default
kubectl get pods demo -n default
Optionally you can see the output of the pod logs via: kubectl logs demo
- Now deploy an unsigned image
kubectl run demo1 --image=ghcr.io/deislabs/ratify/notary-image:unsigned -n default
You will see a deny message from Gatekeeper denying the request to create it as the image doesn't have any signatures.
Error from server (Forbidden): admission webhook "validation.gatekeeper.sh" denied the request: [ratify-constraint] Subject failed verification: wabbitnetworks.azurecr.io/test/net-monitor:unsigned
You just validated the container images in your k8s cluster!
Step 4: Uninstall
helmfile destroy --skip-charts -f git::https://github.com/deislabs/ratify.git@helmfile.yaml
Notes
If the image reference provided resolves to an OCI Index or a Docker Manifest List, validation will occur ONLY at the index or manifest list level. Ratify currently does NOT support image validation based on automatic platform selection. For more information, see this issue.