--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-node" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-node/CAPre7xDda%2BiTDHEbg-SNZ6HeNT9xy8XuBVNeLt-exgstVmBKxw%40mail.gmail.com.
It's worth checking out the Ratify project:
Which can do signature validation as an admission controller.
From: kubernetes-si...@googlegroups.com <kubernetes-si...@googlegroups.com> on behalf of Clayton <smarter...@gmail.com>
Sent: Thursday, April 27, 2023 8:56 AM
To: Sascha Grunert <sascha...@gmail.com>
Cc: kubernete...@googlegroups.com <kubernete...@googlegroups.com>; kubernetes-sig-architecture <kubernetes-si...@googlegroups.com>
Subject: [EXTERNAL] Re: Sigstore container image signature validation support
Historically the runtimes validated signatures - is there data / policy you want to carry along with the pod that CRI doesn’t get?
OpenShift did validate signatures at admission time at one point and did check deeper pod data.
One feature that came up from time to time was validating the entire pod spec along with the image signature - having the node validate the spec meant that you could have a separate entity deciding which pods could run on a node independent of the control plane, which allowed mitigation of control plane compromises to a degree.
> On Apr 27, 2023, at 8:39 AM, Sascha Grunert <sascha...@gmail.com> wrote:
>
> Hey folks,
>
> I'm having an enhancement in mind to be able to validate sigstore
> signatures of container images before pulling it within the image
> manager of the kubelet [0]. The idea is to add a CRI method for the
> validation, which passes the policy down to the container runtime and
> can handle errors correctly. Policies define which signatures are
> allowed for a subset of images and will also provide the main user
> interface.
>
> I'm wondering where the policies could fit into Kubernetes. Using
> admission controllers, or just the kubelet configuration?
>
> I'd appreciate any thoughts on the feature.
>
> Thank you and all the best,
> Sascha
>
>
> --
> You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "kubernetes-sig-architecture" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-sig-arch...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/kubernetes-sig-architecture/SJ1PR21MB340941862C17546A44E828C3DB6A9%40SJ1PR21MB3409.namprd21.prod.outlook.com.