connaisseur
connaisseur copied to clipboard
sse-secure-systems
An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
**Describe the bug** config_schema.json uses `^((\\w+\\.[\\.\\w]*\\/)?([^\\s]+\\/)?)([^\\/\\:@]+)((@sha256:([a-f0-9]{64}))|(:(.+)))?$` to validate policy patterns. If we simplify this expression it becomes `(maybe something that might resemble a domain)(optional: many not whitespace)(some non-special char)(maybe tag...
**Describe the feature** Adapt the Connaisseur documentation, addressing the issues mentioned in #481 for GKE. When adapting the terraform code, make sure the code works and has no hardcoded parts.
**Describe the bug** We don't get dependabot updates for packages in actions, e.g. `anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3` is in `connaisseur/.github/actions/build/action.yml`, while the corresponding SCA action was updated to v0.15.1 **Expected behavior**...
**Describe the bug** We deploy connaisseur in k8s cluster as a webhook to validate container images. We occasionally run into connaisseur-webhook timeout problem and find following exception around the same...
We are currently facing the situation that we need to add additional custom labels to the deployment manifest created by the helm chart. This goes for the `metadata/labels` and the...
It would be great to have working keyless support in connaisseur. We made a strong effort to establish a system to rollout your own instance of fulcio and rekor (look...
**Describe the feature** Docker has announced that they might look into [deprecating Notary](https://github.com/docker-library/faq/blob/master/SIGNING.md#what-does-this-mean-for-notary-docker-content-trust) in favor of [OpenPubkey](https://github.com/openpubkey/openpubkey) in the future. Once they actually recommend using the system in production (or...
Fixes no issue ## Description * switch to [wolfi](https://edu.chainguard.dev/open-source/wolfi/) as base distroless base image ## Checklist - [x] PR is rebased to/aimed at branch `develop` - [x] PR follows [Contributing...
**Describe the bug** When we deploy Connaisseur helm package via argocd , it detect duplicate resource is added. Resource admissionregistration.k8s.io/MutatingWebhookConfiguration//connaisseur-webhook appeared 2 times among application resources **Expected behavior** No warnings...
**Describe the feature** Connaisseur only supports sha256 as a digest algorithm. It's hard coded at many parts of the code. Multiple digests algorithms should be supported.
Metadata
Owner
Metadata
An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster