policy-controller icon indicating copy to clipboard operation
policy-controller copied to clipboard

Published 20 hours ago verified publisher icon sigstore

Cluster scoped signature enforcement

Open slimm609 opened this issue 2 years ago • 3 comments

Description

Currently, each namespace is an "opt-in" for image validation which works well in most cases but does not work well in highly compliant environments where 100% container signing is required. We currently run self-service namespace clusters that still require container signing regardless of namespace and is enforced at the cluster level.

connaisseur currently supports this, and so does portieris for enforcing image validation at the cluster level for all namespaces.

This is something that we are leveraging today with portieris and would be a beneficial feature for policy-controller.

A deployment setting or flag to disable namespace label validation and just validate all namespaces regardless of label would be ideal.

here is the setting in connaisseur for reference https://sse-secure-systems.github.io/connaisseur/v2.6.1/features/namespaced_validation/

enabled        true or false; enable namespaced validation otherwise images in all namespaces will be validated.

slimm609 avatar Jul 05 '22 15:07 slimm609

sgtm!

dlorenc avatar Jul 05 '22 16:07 dlorenc

Thanks for opening the issue @slimm609. It make sense, so we'll work on adding supporting for this feature.

hectorj2f avatar Jul 05 '22 19:07 hectorj2f

The one way to achieve this today would be to remove the namespace selectors here: https://github.com/sigstore/policy-controller/blob/main/config/500-webhook-configuration.yaml#L21 and here: https://github.com/sigstore/policy-controller/blob/main/config/500-webhook-configuration.yaml#L43

When you deploy the policy-controller.

vaikas avatar Jul 19 '22 18:07 vaikas