Skip to content
This repository was archived by the owner on Nov 19, 2024. It is now read-only.

Latest commit

 

History

History
42 lines (34 loc) · 3.46 KB

provisioned-infrastructure.md

File metadata and controls

42 lines (34 loc) · 3.46 KB

Provisioned resources

The following resources are provisioned and configured for this walkthrough:

In Azure:

  • Resource Group
    • Azure Container Registry (ACR)
      • SKU: Standard
    • Azure Kubernetes Service (AKS)
      • OIDC issuer enabled
      • Workload Identity enabled
      • Tier: Free
      • Gatekeeper installed via Helm
      • Ratify installed via Helm
      • The kubelet identity is granted access to ACR
    • Azure Key Vault
      • RBAC enabled
      • SKU: Standard
      • Within: 2 x509 certificate for Notation. Further details can be found here

In Microsoft Entra ID:

  • An app registration + service principal
    • The app registration is used to enable appropriate access and grant permissions to the chosen pipeline
    • The service principal is an owner of the resource group and has crypto and secrets permissions for the provisioned Key Vault
  • A user-assigned managed identity for use by Ratify
    • Federated credentials are established for use by AKS workload identity
    • The managed identity is granted access to ACR

A resource group containing the icons for AKS, ACR and Key Vault. An app registration in Microsoft Entra ID. A line from the app registration to the resource group labeled "owner" to indicate ownership of the resource group by the underlying service principal. A second line from the app registration to Key Vault labeled crypto and secrets permissions to indicate the assigned roles granted to enable Notation to sign artifacts within the pipeline.

A box labeled AKS with the icons for Gatekeeper, Ratify, AKS workload identity and Kubernetes kubelet. Both Ratify and Gatekeeper are installed on the cluster. The Ratify icon has a dashed line to the icon for AKS workload identity which itself has a line to the user-assigned managed identity within Microsoft Entra ID. This is to indicate how workload identity enables the Ratify workload to impersonate the user-assigned managed identity. The icon for kubelet has a line connecting to ACR labeled "pull permissions" which allows images to be pulled from the private registry into the AKS cluster. The user-assigned managed identity icon also has a line connecting to ACR labeled "pull permissions" to allow Ratify to retrieve artifacts from the private registry.

Note

The above resources are provisioned and configured for the purpose of this walkthrough. The resources are not intended for production use and may not adhere to best practices.

For production use, it is recommended to enable private endpoints to ensure traffic between applicable resources is routed through the Azure backbone network. For more information see: