On Tue, May 2, 2023 at 3:33 PM Peter Hunt <
peh...@redhat.com> wrote:
>
> A way this could be achieved could mirror how the SPO does this, where a CRD is defined for profiles that are applied directly to the nodes. Technically, Kubelet doesn't become aware of these until the CRI processes them, and it could look the same. Then,
this entity that holds the CRD could create the correct configurations based on which CRI implementation is on the node. This would mean minimal changes in the Kubelet and runtimes but still have a kubernetes object that can be referenced.
>
> On Tue, May 2, 2023 at 4:14 AM Sascha Grunert <
sascha...@gmail.com> wrote:
>>
>> Thank you for all the input!
>>
>> Yes, my idea was to unify the behavior for sigstore signatures through
>> the CRI by having a single configuration pattern in Kubernetes and not
>> having a need for configuring each runtime.
>>
>> > Historically the runtimes validated signatures - is there data / policy you want to carry along with the pod that CRI doesn’t get?
>>
>> For example in sigstore, I'd like to configure Kuberentes to allow a
>> specific certificate identity, OIDC issuer, public key/signature or
>> the rekor (transparency log) instance for a subset of container
>> images. I can imagine that we pass that data through the CRI and let
>> the kubelet image pull behave accordingly as @Peter Hunt mentioned.
>> Users could define the policies as separate Kubernetes resources or
>> they could be integrated into an existing API.
>>
>> How could that fit into Kubernetes?
>>
>> All the best,
>> Sascha
>>
>> On Thu, Apr 27, 2023 at 6:46 PM Benjamin Elder <
benth...@google.com> wrote:
>> >
>> > See also: More specific pointers re "runtimes do/can do this"
>> >