Firebolt Auror is a Kubernetes Image Admission Controller
- Uses Cosign to verify container image signatures
- Ensures only signed images are deployed
- Supports both deny and audit modes for flexible deployment
- Restricts deployments to specified AWS ECR registries
- Prevents unauthorized external images from being deployed
- Configurable registry allowlist
- Three-tier caching system for verification results
- Digest-based and tag-based caching strategies
- Owner reference caching for improved performance
- Prometheus metrics for monitoring
- OpenTelemetry integration for distributed tracing
- Detailed logging with configurable levels
- Support for multiple Kubernetes resource types (Pods, Deployments, StatefulSets, etc.)
- Configurable cache sizes and TTLs
- Environment-based configuration
- Helm chart for easy deployment
# Install required tools
task dependencies-install-mac# 1. Create development environment
task dev-create
# 2. Deploy auror admission controller
task auror-deploy
# 3. Verify deployment
kubectl get pods -n firebolt-auror# Configure AWS credentials
aws configure export-credentials
# Test ECR access
aws ecr get-login-password --region us-east-1--mode: Set todeny(block unsigned images) oraudit(log only)--registry: Specify allowed ECR registries (comma-separated)--public-key: Path to Cosign public key for signature verification--log-level: Set logging level (infoordebug)
# Test Auror with cosign review
task auror-test-cosign
# Warm up Auror cache with test images
task auror-test-warmup# Check metrics
kubectl port-forward -n firebolt-auror service/auror 8080:8080
curl http://localhost:8080/metricsThis project is licensed under the Apache License, Version 2.0. See the LICENSE file for the full license text.