Christoph Hamsen

Would be great if it could become a full-fledged light-weight verification binary. We also noticed that cosign has a significant size, especially when used in a container setting.

@Starkteetje it does fail if there is no trusted digest: ```bash $ kubectl run unsigned --image=docker.io/securesystemsengineering/testimage:unsigned Error from server: admission webhook "connaisseur-svc.connaisseur.svc" denied the request: Unable to find signed digest...

@gigi206 besides the error message what happens to the connaisseur resources? does anything spin up? do you see any errors?

@williamokano-dh is there any change from Connaisseur-side required to improve rollout with ArgoCD?

An interesting situation and surprising that it exists :sweat_smile: Without having delved into the details, it seems to me that we have no standard to follow here and one is...

note that the mapping of image > mutated image is aimed to allow revalidation of previously mutated images. A difficulty may be to make sure if an image was used...

Thank you @SteveLasker for letting us know! We are excited to see that Notary v2 is making progress. We are actually in the process of integrating support for images accross...

however, if connaisseur mixes up digests and those fail later, it is a Connaisseur issue. In a controlled environment, we should be checking the correct images spin up.

this may be required for some closed loop deployment technologies whereby for example an operator handles deployment by monitoring a git repo with configuration and comparing that to the deployed...

A first test version is built by which Connaisseur will simply skip modifying the image reference. Not switching to a validatin webhook resource as this might collide with future improvements...