The Enterprise Contract’s purpose is to ensure container images produced by AppStudio meet certain clearly defined requirements before they are considered releasable. Should a container image not meet the requirements the Enterprise Contract will produce a list of the reasons why so they can be addressed as required to produce a releasable build.
Enterprise Contract requirements fall broadly into two categories, “built-in requirements”1 and “rule-based requirements”.
The built-in requirements are as follows:
Some examples of rule-based requirements are:
The technique of checking for a specific task result from a specific known and trusted task definition is a useful way to create a robust policy rule. The rego language is flexible and expressive so it’s easy to create arbitrary policy rules based on anything exposed in pipeline run attestation.
The ec-cli is a command line utility written in Go. Its primary purpose is to perform the EC policy validation, which it does as follows:
The EC Task Definition defines how the ec-cli command should be run in a Tekton task. It handles the task inputs and outputs and calls the ec-cli as needed to perform the EC validation.
The task is defined here.
The ECP CRD defines a Kubernetes CR which is used to hold the configuration needed for running a specific instance of the Enterprise Contract. This includes the public key required to verify signatures, the list of policy and data sources, and any other required configuration.
There are Conftest bundles containing the latest version of these policies available in quay.io here.
Tekton Chains is a dependency for EC since EC works by examining attestations created by Tekton Chains when AppStudio build pipelines are running.
The AppStudio Release Pipeline contains an instance of the EC Task which is used to gate the release. If the EC task fails the release should be blocked. This functionality is handled by the Release Pipeline.
For more information, see AppStudio Release Service Bundles.
To verify that tasks used in the build pipeline are from known and trusted Tekton bundles, EC requires a list of those bundles.
AppStudio users can leverage the Renovate Bot service to keep such Tekton bundle lists up to date. The service can be configured to run periodically, and provide pull requests with updated references. Alternatively, users can run their own instance of Renovate either as a service or on-demand.
Not sure about the terminology here. Do we have a better term for requirements enforced by ec-cli that are not defined by rego rules? ↩
The list of images in a release is defined in a Snapshot CRD. The input to EC is a JSON formatted representation of this image list, but a single image is also supported. ↩
Not sure about this terminology either. Conceptually the “source group” consists of one or more policy sources and zero or more data sources. ↩