License Compliance Verification
In ACP (Alauda Container Platform), you can use trivy or syft task in Tekton Pipeline to generate the SBOM for image.
The SBOM contains license information for each component in the image. We can use Kyverno policies to reject images that include specific licenses.
Since the SBOM has been generated for the image in Base Image and SBOM Verification, we will not create a pipeline here, but directly use the existing image to verify this capability.
This chapter is based on Base Image and SBOM Verification, only adds the logic to validate the license information of the image.
TOC
Feature Overview
This method is similar to Base Image and SBOM Verification, only change the kyverno rules to verify the license compliance.
- Configure Kyverno rules to verify the SBOM.
- Use the image to create a Pod to verify the license compliance.
Use Cases
The following scenarios require referring to the guidance in this document:
- Implementing license compliance verification in Kubernetes clusters using Kyverno
- Enforcing security policies to block images containing specific licenses (e.g., GPL)
- Setting up automated license verification in CI/CD pipelines
- Ensuring license compliance in production environments
- Implementing supply chain security controls for container images by verifying their component licenses
Prerequisites
- Base Image and SBOM Verification is completed.
Process Overview
| Step | Operation | Description |
|---|---|---|
| 1 | Verify license information | Create and apply Kyverno policy to verify component licenses |
| 2 | (Optional) Verify CVE check | Add conditions to check specific vulnerabilities in the policy |
| 3 | Clean up | Delete test resources and policies |
Step-by-Step Instructions
Steps 1: Verify the license information of the image
Step 1.1: Create a Kyverno policy to verify the base image information
This step requires cluster administrator privileges.
More details about Kyverno ClusterPolicy, please refer to Kyverno ClusterPolicy
The policy is as follows:
Explanation of YAML fields
- The policy is largely consistent with the one in Image Signature Verification
spec.rules[0].verifyImages[].attestations[0].conditionstype: The cyclonedx SBOM attestation type ishttps://cyclonedx.org/bomattestors: the same as above.conditions: The conditions to be verified.any: Any of the conditions must be met.key: "{{ components[].licenses[].license.id }}": The image contains GPL licenses which are not allowed.key: "{{ components[].licenses[].license.name }}": The image contains Expat license which is not allowed.
Save the policy to a yaml file named kyverno.verify-component-licenses.yaml and apply it with:
Step 1.2: Verify the policy
In the policy namespace where the policy is defined, create a Pod to verify the policy.
Use the built image to create a Pod.
If your image contains GPL licenses, the Pod will be created failed.
Receive the output like this:
Change the license limit in the ClusterPolicy to allow GPL licenses.
Then create a Pod to verify the policy.
The Pod will be created successfully.
Step 2: (Optional) Verify Image Check CVE-2022-42889
- If you interested to add more conditions to the policy, you can continue to read the following content.
- This is a simple example, you can use the same method to check other vulnerabilities.
CVE-2022-42889 is a critical vulnerability in the Apache Commons Text library which could lead to arbitrary code executions and occurs in versions 1.5 through 1.9. Detecting the affected package may be done in an SBOM by identifying the "commons-text" package with one of the affected versions. This policy checks attested SBOMs in CycloneDX format of an image specified under imageReferences and denies it if it contains versions 1.5-1.9 of the commons-text package.
We only need to add a condition to the ClusterPolicy to check if the commons-text package is in the image.
This is not demonstrated here, interested readers can try it themselves.
Step 3: Clean up the resources
Delete the Pods created in the previous steps.
Delete the policy.
Expected Results
After completing this guide:
- You have a working setup with Kyverno for license compliance verification
- Your container images automatically include SBOM information in their attestations
- Only images with acceptable licenses can be deployed in the specified namespace
- Images with non-compliant licenses are automatically blocked by Kyverno policies
- You have implemented a basic supply chain security control by verifying the license information of components in your container images
This guide provides a foundation for implementing license compliance verification in your CI/CD pipelines. In a production environment, you should:
- Configure proper namespace isolation and access controls
- Implement secure key management for signing keys
- Set up monitoring and alerting for policy violations
- Regularly update security policies based on your license requirements