Build a validation only mode

[xopham]

Describe the feature Connaisseur works as a mutating admission controller and thus replaces tags by signed digest. This also means that requests are modified. A validation only mode would simply check whether images comply with the policy (e.g. only referenced by signed digests or excluded) but fail if the a reference would require mutation.

Optional: Is your feature request related to a problem? Please describe. It was reported that some enterprises are uneasy with implementing a mutating admission controller. (Might be publicly hinted though not explicit in this blog post).

Optional: Implementation ideas One could implement Connaisseur as a validating admission controller and simply deny, in case a digest is invalid or mutation is required.

Optional: Additional context As a bonus, the validation mode could also be enabled with mutation mode in parallel. As validating controllers run after mutating, this would ensure no other AC introduced an insecure image.

[xopham]

this may be required for some closed loop deployment technologies whereby for example an operator handles deployment by monitoring a git repo with configuration and comparing that to the deployed state. Such technology may detect a deviation between desired and deployed state and re-deploy which creates an infinite deployment loop

[xopham]

A first test version is built by which Connaisseur will simply skip modifying the image reference. Not switching to a validatin webhook resource as this might collide with future improvements allowing namespaced configuration.

Demo branch with Connaisseur test image (hosted in my private repository) available on branch demo/validation-only-mode. To test, checkout the branch, install Connaisseur and test. To check the image references you might use kubectl describe pods <your-test-pod> and check for image and image ID. Further information is available in the respective docs.

Please share your feedback :pray: