cosigned icon indicating copy to clipboard operation
cosigned copied to clipboard

Published 20 hours ago verified publisher icon dlorenc

Add support for resources apart from pods

Open sambhav opened this issue 3 years ago • 3 comments

It might be possible to add support for verifying that resources other than pods also reference images which are signed. This could possibly be done by providing the controller a configmap that contains the custom resource's gvk and the jsonpath to the field in the resource which makes up the image reference(s) .

For eg.

https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/

The config for the above might look like -

imageFields:
  - apiVersion: batch/v1
    kind: CronJob
    field: ".spec.jobTemplate.spec.template.spec.containers[*].image"

sambhav avatar Jun 06 '21 21:06 sambhav

This would be extremely useful for other operators/custom resources as well.

sambhav avatar Jun 06 '21 21:06 sambhav

Although these resources may end up creating pods, this might lead to a better user experience for a k8s user who will get a failure right away as they are submitting the resource as opposed to when the controller tries to create pods for the custom resource.

sambhav avatar Jun 06 '21 21:06 sambhav

+1!

dlorenc avatar Jun 06 '21 21:06 dlorenc