https://github.com/sigstore/policy-controller/issues/1388, Support co…

[senanz]

…ntrol what resource to be monitored from the chart instead hard coded in the code

Summary

Release Note

Documentation

[senanz]

Hi @hectorj2f , Today all resources that will be monitored by the policy controller is hardcoded, we want to control that from chart values, For example if i want to limit the policy controller to monitor just the pods.

[Mukuls77]

@hectorj2f i wanted to share my views on this PR. This PR is not really removing the functionality of modifying the Image Ref in Pod sepc from IMG:TAG to IMG@Digest but instead of making it a hardcode logic this PR bring a feature flag --disable-mutation which if used by the user will disable the required mutation. also the PR want to introduce configurability on which k8s resources should be monitored for Image verification so user can choose to include replicaset or not for image verification based on his/her need. This way policy controller will be more configurable and usable. In the current state with mandatory TAG to Digest conversion we see issues in introduction of Policy controllers in the setups where there are already some existing implementations which expect TAG in podspec to track the pods, introduction of policy controller will thus break the existing Application logic. more over mandatory checking of Image signature for replicaset, daemonset with Mutating TAG to Digest introduces a big issue as now we can not introduce policy controller in a setup to do a Inservice upgrade or let say scale-in scale-out a resource after introducing policy controller , as after policy controller introduction the podspec get mutated to digest which changes the resource creation , k8s controller detect this change and keep on creating the given resource. so in my view these configuration bring more usability to policy controller. If there is some common call scheduled we would like to share our views on this PR.