stolostron
diff --git a/‎.travis.yml
Lines changed: 0 additions & 1 deletion b/‎.travis.yml
Lines changed: 0 additions & 1 deletion
diff --git a/‎CatalogSource.yaml
Lines changed: 13 additions & 0 deletions b/‎CatalogSource.yaml
Lines changed: 13 additions & 0 deletions
diff --git a/‎Makefile
Lines changed: 110 additions & 137 deletions b/‎Makefile
Lines changed: 110 additions & 137 deletions
diff --git a/‎README.md
Lines changed: 65 additions & 56 deletions b/‎README.md
Lines changed: 65 additions & 56 deletions
diff --git a/‎build/build_bundle.sh
Lines changed: 2 additions & 2 deletions b/‎build/build_bundle.sh
Lines changed: 2 additions & 2 deletions
diff --git a/‎build/build_images.sh
Lines changed: 45 additions & 41 deletions b/‎build/build_images.sh
Lines changed: 45 additions & 41 deletions
diff --git a/‎build/check-bundle-deployment-local.sh
Lines changed: 1 addition & 1 deletion b/‎build/check-bundle-deployment-local.sh
Lines changed: 1 addition & 1 deletion
diff --git a/‎build/clean-e2e-bundle-test-local.sh
Lines changed: 6 additions & 6 deletions b/‎build/clean-e2e-bundle-test-local.sh
Lines changed: 6 additions & 6 deletions
@@ -81,7 +81,6 @@ jobs:
     - stage: publish
       name: "Publish the image to quay with an official version/sha tag and publish entry to integration pipeline stage"
       if: env(ENABLE_PUBLISH) = true AND branch =~ /^release-[0-9]+\..*$/
-      #type = push AND branch = master
       script:
         - |
           make init
 
@@ -0,0 +1,13 @@
+apiVersion: operators.coreos.com/v1alpha1
+kind: CatalogSource
+metadata:
+  name: new-integrity-shield-operator-catalog
+  namespace: openshift-marketplace # olm
+spec:
+  displayName: Integrity Shield++ Operator
+  image: gcr.io/clean-resource-318209/integrity-shield-operator-index:0.2.5
+  publisher: IBM
+  sourceType: grpc
+  updateStrategy:
+    registryPoll:
+      interval: 45m
@@ -1,67 +1,76 @@
-# Integrity Shield (IShield)
-   
-Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It includes signature based configuration drift prevention based on [Admission Webhook](https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/) on Kubernetes cluster.
+# integrity-shield
+Integrity Shield is a tool for built-in preventive integrity control for regulated cloud workloads. It provides signature-based assurance of integrity for Kubernetes resources at cluster side.  
 
-## Goal
-
-The goal of Integrity Shield is to provide assurance of the integrity of Kubernetes resources.  
-
-Resources on a Kubernetes cluster are defined in various form of artifacts such as YAML files, Helm charts, Operator, etc., but those artifacts may be altered maliciously or unintentionally before deploying them to cluster. 
-This could be an integrity issue. For example, some artifact may be modified to inject malicous scripts and configurations inside in stealthy manner, then admininstrator may be in risk of deploying it without knowing the falsification.
-
-Integrity Shield (IShield) provides signature-based assurance of integrity for Kubernetes resources at cluster side. IShield works as an Admission Controller which handles all incoming Kubernetes admission requests, verifies if the requests attached a signature, and blocks any unauthorized requests according to the shield policy before actually persisting in etcd.  will helps cluster adminstrator to ensure
-- Allow to deploy authorized application pakcages only
-- Allow to use signed deployment params only
-- Zero-drift in resource configuration unless allowed explicitly
-- Perform all integrity verification on cluster (admission controller, not in client side)
-- Handle variations in application packaging and deployment (Helm /Operator /YAML / OLM Channel) with no modification in app installer
-
+Integrity Shield works with OPA/Gatekeeper, verifies if the requests attached a signature, and blocks any unauthorized requests according to the constraint before actually persisting in etcd. 
+Also, you can use the [admission controller](./webhook/admission-controller/README.md) instead of OPA/Gatekeeper.
 
 ![Scenario](./docs/ishield-scenario.png)
 
-## Quick Start
-See [Quick Start](./docs/README_QUICK.md)
+## integrity shield api
 
-## Supported Platforms
+Integrity shield api includes the main logic to verify admission requests. 
+Integrity shield api receives a k8s resource from OPA/Gatekeeper, validates the resource which is included in the admission request based on the profile and sends the verification result to OPA/Gatekeeper.
+Integrity shield api uses [k8s-manifest-sigstore](https://github.com/sigstore/k8s-manifest-sigstore) internally to verify k8s manifest.
 
-Integrity Shield works as Kubernetes Admission Controller using Mutating Admission Webhook, and it can run on any Kubernetes cluster by design. 
-IShield can be deployed with operator. We have verified the feasibility on the following platforms:
+You can enable the protection by integrity shield with a few simple steps.
+Please see [Usage](./shield/README.md).
 
-- [RedHat OpenShift 4.5 and 4.6](https://www.openshift.com/)
-- [RedHat OpenShift 4.3 on IBM Cloud (ROKS)](https://www.openshift.com/products/openshift-ibm-cloud)
-- [IBM Kuberenetes Service (IKS)](https://www.ibm.com/cloud/container-service/) 1.17.14
-- [Minikube v1.19.1](https://kubernetes.io/docs/setup/learning-environment/minikube/)
+## gatekeeper constraint
+Integrity shield works with OPA/Gatekeeper by installing ConstraintTemplate(`template-manifestintegrityconstraint.yaml` ).
+We use [constraint framework](https://open-policy-agent.github.io/gatekeeper/website/docs/howto/#constraints) of OPA/Gatekeeper to define the resources to be protected.
 
-## How Integrity Shield works
-- Resources to be protected in each namespace can be defined in the custom resource called `ResourceSigningProfile`. For example, the following snippet shows an example definition of protected resources in a namespace. This `ResourceSigningProfile` resource includes the matching rule for specifiying resources to such as ConfigMap, Depoloyment, and Service in a namespace `secure-ns`, which is protected by , so any matched request to create/update those resources are verified with signature.  (see [Define Protected Resources](./docs/README_FOR_RESOURCE_SIGNING_PROFILE.md))
-
-  ```yaml
-  apiVersion: apis.integrityshield.io/v1alpha1
-  kind: ResourceSigningProfile
-  metadata:
-    name: sample-rsp
-  spec:
-    targetNamespaceSelector:
-      include:
-      - "secure-ns"
-      exclude:
-      - "kube-*"
-    protectRules:
-    - match:
-      - kind: ConfigMap
+For example, the following snippet shows an example definition of protected resources in a namespace. 
+```
+apiVersion: constraints.gatekeeper.sh/v1beta1
+kind: ManifestIntegrityConstraint
+metadata:
+  name: deployment-constraint
+spec:
+  match:
+    kinds:
+    - kinds: ["Deployment"]
+      apiGroups: ["apps"]
+    namespaces:
+    - "sample-ns"
+  parameters:
+    inScopeObjects:
+    - name: sample-app
+    signers:
+    - [email protected]
+    ignoreFields:
+    - objects:
       - kind: Deployment
-      - kind: Service
-  ```
-
-- Adminssion request to the protected resources is blocked at Mutating Admission Webhook, and the request is allowed only when the valid signature on the resource in the request is provided.
-- Signer can be defined for each namespace independently. Signer for cluster-scope resources can be also defined. (see [Signer Configuration](./docs/README_SIGNER_CONFIG.md).)
-- Signature is provided in the form of separate signature resource or annotation attached to the resource. (see [How to Sign Resources](./docs/README_RESOURCE_SIGNATURE.md))
-- Integrity Shield admission controller is installed in a dedicated namespace (e.g. `integrity-shield-operator-system` in this document). It can be installed by operator. (see [Integrity Shield Custom Resource](./docs/README_ISHIELD_OPERATOR_CR.md) for detail install options.)
-
+      fields:
+      - spec.replicas
+```
+`ManifestIntegrityConstraint` resource includes the parameters field. In the parameters field, you can configure the profile for verifying resources such as ignoreFields for allowing some requests that match this rule, signers, and so on.
+
+## admission controller
+This is an admission controller for verifying k8s manifest with sigstore signing. You can use this admission controller instead of OPA/Gatekeeper.
+In this case, you can decide which resources to be protected in the custom resource called `ManifestIntegrityProfile` instead of OPA/Gatekeeper constraint.
+
+The following snippet is an example of `ManifestIntegrityProfile`.
+```
+apiVersion: apis.integrityshield.io/v1alpha1
+kind: ManifestIntegrityProfile
+metadata:
+  name: profile-configmap
+spec:
+  match:
+    kinds:
+    - kinds:
+      - ConfigMap
+    namespaces:
+    - sample-ns
+  parameters:
+    ignoreFields:
+    - fields:
+      - data.comment
+      objects:
+      - kind: ConfigMap
+    signers:
+    - [email protected]
+```
 
-## Quick Start
-See [Quick Start](./docs/README_QUICK.md)
+You can set up the admission controller with a few simple steps. Please see [admission controller](./webhook/admission-controller/README.md).
 
-<!---
-Date: 8/18/2021
--->
 
@@ -143,6 +143,6 @@ elif [ "${ISHIELD_ENV}" = "local" ]; then
 fi
 echo "Completed building bundle and index"
 
-targetFile="${SHIELD_OP_DIR}/bundle.Dockerfile"
-licenseFile="${SHIELD_OP_DIR}/license.txt"
+targetFile="${SHIELD_OP_DIR}bundle.Dockerfile"
+licenseFile="${SHIELD_OP_DIR}license.txt"
 $ISHIELD_REPO_ROOT/build/add_license.sh $targetFile $licenseFile
@@ -42,13 +42,13 @@ if [ -z "$ISHIELD_REPO_ROOT" ]; then
     exit 1
 fi
 
-if [ -z "$ISHIELD_SERVER_IMAGE_NAME_AND_VERSION" ]; then
-    echo "ISHIELD_SERVER_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
+if [ -z "$ISHIELD_API_IMAGE_NAME_AND_VERSION" ]; then
+    echo "ISHIELD_API_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
     exit 1
 fi
 
-if [ -z "$ISHIELD_LOGGING_IMAGE_NAME_AND_VERSION" ]; then
-    echo "ISHIELD_LOGGING_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
+if [ -z "$ISHIELD_ADMISSION_CONTROLLER_IMAGE_NAME_AND_VERSION" ]; then
+    echo "ISHIELD_ADMISSION_CONTROLLER_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
     exit 1
 fi
 
@@ -57,6 +57,11 @@ if [ -z "$ISHIELD_OBSERVER_IMAGE_NAME_AND_VERSION" ]; then
     exit 1
 fi
 
+# if [ -z "$ISHIELD_INSPECTOR_IMAGE_NAME_AND_VERSION" ]; then
+#     echo "ISHIELD_INSPECTOR_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
+#     exit 1
+# fi
+
 if [ -z "$ISHIELD_OPERATOR_IMAGE_NAME_AND_VERSION" ]; then
     echo "ISHIELD_OPERATOR_IMAGE_NAME_AND_VERSION is empty. Please set IShield build env settings."
     exit 1
@@ -68,35 +73,27 @@ if [ -z "$ISHIELD_OPERATOR" ]; then
 fi
 
 
-SERVICE_NAME=ishield-server
-
-
-BASEDIR=./deployment
-DOCKERFILE=./image/Dockerfile
-LOGG_BASEDIR=${ISHIELD_REPO_ROOT}/logging/
-OBSV_BASEDIR=${ISHIELD_REPO_ROOT}/observer/
-OPERATOR_BASEDIR=${ISHIELD_REPO_ROOT}/integrity-shield-operator/
-
-# Build ishield-server image
+# Build ishield-api image
 echo -----------------------------
-echo [1/4] Building ishield-server image.
-cd ${ISHIELD_REPO_ROOT}/shield
+echo [1/4] Building ishield-api image.
+cd ${SHIELD_DIR}
+go mod tidy
 exit_status=$?
 if [ $exit_status -ne 0 ]; then
     echo "failed"
     exit 1
 fi
-CGO_ENABLED=0 GOOS=linux go build -ldflags="-s -w" -o image/${SERVICE_NAME} ./cmd/${SERVICE_NAME}
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags="-s -w" -a -o build/_bin/ishield-api ./
 exit_status=$?
 if [ $exit_status -ne 0 ]; then
     echo "failed"
     exit 1
 fi
 
 if [ "$NO_CACHE" = true ] ; then
-    docker build -f ${DOCKERFILE} -t ${ISHIELD_SERVER_IMAGE_NAME_AND_VERSION} image/ --no-cache
+     docker build -t ${ISHIELD_API_IMAGE_NAME_AND_VERSION} . --no-cache
 else
-    docker build -f ${DOCKERFILE} -t ${ISHIELD_SERVER_IMAGE_NAME_AND_VERSION} image/
+    docker build -t ${ISHIELD_API_IMAGE_NAME_AND_VERSION} .
 fi
 
 exit_status=$?
@@ -108,19 +105,26 @@ echo done.
 echo -----------------------------
 echo ""
 
-# Build ishield-logging image
+# Build ishield-ac-server image
 echo -----------------------------
-echo [2/4] Building ishield-logging image.
-cd ${LOGG_BASEDIR}
+echo [2/4] Building ishield-ac-server image.
+cd ${SHIELD_AC_DIR}
+go mod tidy
+exit_status=$?
+if [ $exit_status -ne 0 ]; then
+    echo "failed"
+    exit 1
+fi
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags="-s -w" -o build/_bin/k8s-manifest-sigstore ./
 exit_status=$?
 if [ $exit_status -ne 0 ]; then
     echo "failed"
     exit 1
 fi
 if [ "$NO_CACHE" = true ] ; then
-     docker build -t ${ISHIELD_LOGGING_IMAGE_NAME_AND_VERSION} ${LOGG_BASEDIR} --no-cache
+     docker build -t ${ISHIELD_ADMISSION_CONTROLLER_IMAGE_NAME_AND_VERSION} . --no-cache
 else
-     docker build -t ${ISHIELD_LOGGING_IMAGE_NAME_AND_VERSION} ${LOGG_BASEDIR}
+     docker build -t ${ISHIELD_ADMISSION_CONTROLLER_IMAGE_NAME_AND_VERSION} . 
 fi
 
 exit_status=$?
@@ -135,42 +139,41 @@ echo ""
 # Build ishield-observer image
 echo -----------------------------
 echo [3/4] Building ishield-observer image.
-cd ${OBSV_BASEDIR}
+cd ${SHIELD_OBSERVER_DIR}
+go mod tidy
 exit_status=$?
 if [ $exit_status -ne 0 ]; then
     echo "failed"
     exit 1
 fi
-
-CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags="-s -w" -a -o build/_output/bin/${ISHIELD_OBSERVER} main.go
-
-if [ "$NO_CACHE" = true ] ; then
-     docker build -t ${ISHIELD_OBSERVER_IMAGE_NAME_AND_VERSION} ${OBSV_BASEDIR} --no-cache
-else
-     docker build -t ${ISHIELD_OBSERVER_IMAGE_NAME_AND_VERSION} ${OBSV_BASEDIR}
-fi
-
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags="-s -w" -a -o build/_bin/ishield-observer ./
 exit_status=$?
 if [ $exit_status -ne 0 ]; then
     echo "failed"
     exit 1
 fi
-echo done.
-echo -----------------------------
-echo ""
+if [ "$NO_CACHE" = true ] ; then
+    docker build -t ${ISHIELD_OBSERVER_IMAGE_NAME_AND_VERSION} . --no-cache
+else
+    docker build -t ${ISHIELD_OBSERVER_IMAGE_NAME_AND_VERSION} .
+fi
 
 # Build integrity-shield-operator image
 echo -----------------------------
 echo [4/4] Building integrity-shield-operator image.
-cd ${OPERATOR_BASEDIR}
+cd ${SHIELD_OP_DIR}
+go mod tidy
+exit_status=$?
+if [ $exit_status -ne 0 ]; then
+    echo "failed"
+    exit 1
+fi
+CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags="-s -w" -a -o build/_output/bin/integrity-shield-operator main.go
 exit_status=$?
 if [ $exit_status -ne 0 ]; then
     echo "failed"
     exit 1
 fi
-
-CGO_ENABLED=0 GOOS=linux GOARCH=amd64 GO111MODULE=on go build -ldflags="-s -w" -a -o build/_output/bin/${ISHIELD_OPERATOR} main.go
-
 if [ "$NO_CACHE" = true ] ; then
     docker build . -t ${ISHIELD_OPERATOR_IMAGE_NAME_AND_VERSION} --no-cache
 else
@@ -182,6 +185,7 @@ if [ $exit_status -ne 0 ]; then
     echo "failed"
     exit 1
 fi
+
 echo done.
 echo -----------------------------
 echo ""
 
@@ -24,7 +24,7 @@ echo "-------------------------------------------------"
 echo "Check if operator bundle deployed correctly."
 echo "Let's wait for integrity-shield-operator-bundle to be depoyed..."
 while true; do
-   ISHIELD_STATUS=$(kubectl get pod -n ${ISHIELD_OP_NS} 2>/dev/null | grep integrity-shield-operator | awk '{print $3}')
+   ISHIELD_STATUS=$(kubectl get pod -n ${ISHIELD_NS} 2>/dev/null | grep integrity-shield-operator | awk '{print $3}')
    if [[ "$ISHIELD_STATUS" == "Running" ]]; then
       echo
       echo -n "===== Integrity Shield operator has started, let's continue with testing e2e. ====="
 
@@ -18,8 +18,8 @@ set -e
 
 echo "E2E TEST BUNDLE CLEAN GOES HERE!"
 
-if [ -z "$ISHIELD_OP_NS" ]; then
-    echo "ISHIELD_OP_NS is empty. Please set env."
+if [ -z "$ISHIELD_NS" ]; then
+    echo "ISHIELD_NS is empty. Please set env."
     exit 1
 fi
 
@@ -42,7 +42,7 @@ echo "Testing BUNDLE_INDEX_IMAGE: $BUNDLE_INDEX_IMAGE"
 echo ""
 echo "-------------------------------------------------"
 
-NS_EXIST=$(kubectl get ns | grep ${ISHIELD_OP_NS} | cut -d' ' -f1)
+NS_EXIST=$(kubectl get ns | grep ${ISHIELD_NS} | cut -d' ' -f1)
 
 
 if [ ! -z $NS_EXIST ]; then
@@ -51,16 +51,16 @@ apiVersion: operators.coreos.com/v1
 kind: OperatorGroup
 metadata:
   name: operatorgroup
-  namespace: ${ISHIELD_OP_NS}
+  namespace: ${ISHIELD_NS}
 spec:
   targetNamespaces:
-  - ${ISHIELD_OP_NS}
+  - ${ISHIELD_NS}
 ---
 apiVersion: operators.coreos.com/v1alpha1
 kind: Subscription
 metadata:
   name: integrity-shield-operator
-  namespace: ${ISHIELD_OP_NS}
+  namespace: ${ISHIELD_NS}
 spec:
   channel: alpha
   name: integrity-shield-operator