Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

A question about deploying signed and non-signed images combined with glob pattern #476

Open
gals-ma opened this issue Feb 27, 2023 · 9 comments
Labels
question Further information is requested

Comments

@gals-ma
Copy link

gals-ma commented Feb 27, 2023

Question

Hello Guys,

Is there a way to achieve the following flow-

Background: We are a company who has all images in one private AWS ECR.
In general, we have 2 types of images that we deploy-

  1. Infrastructure related images (K8S components such as monitoring agents, etc..)- Deployed on various Namespaces.
  2. Services images (All our micro-services) - Deployed only on a specific Namespace

We want to achieve the following Image Policy-

  1. Services images must be deployed with signature validation + image glob validation.
  2. Infrastructure related images are deployed without signature validation + image glob validation.

The image glob pattern is the same for both 1+2.

Is there a way to achieve that with Policy-controller?

Thank you!

@gals-ma gals-ma added the question Further information is requested label Feb 27, 2023
@hectorj2f
Copy link
Contributor

@gals-ma could the images be deployed on different namespaces? If so, you just need to label the namespaces where you want to enforce the signature

@gals-ma
Copy link
Author

gals-ma commented Feb 27, 2023

@gals-ma could the images be deployed on different namespaces? If so, you just need to label the namespaces where you want to enforce the signature

Hi Hector,
It is on a different namespace, but we still want to enforce that we deploy images from a given ECR glob pattern on all namespaces, if I exclude a namespace then it will not enforce this..

@hectorj2f
Copy link
Contributor

Perhaps you could use the spec.match fields to select certain resources using labels.
Also, I will suggest to create this issue under Sigstore/policy-controller repo.

@hectorj2f
Copy link
Contributor

To be clear from my first comment, I meant to leave the infrastructure resources under namespaces not labeled with Sigstore label, so you enforce all the others (if you can automatically label the services namespaces).

@gals-ma
Copy link
Author

gals-ma commented Feb 28, 2023

To be clear from my first comment, I meant to leave the infrastructure resources under namespaces not labeled with Sigstore label, so you enforce all the others (if you can automatically label the services namespaces).

Thanks, I also posted in the policy-controller repo as well.
One more question, do you know if this can be achieved using attestations with rego rule?
Meaning, a Rego rule that will check if the namespace equals 'mynamespace'?

@hectorj2f
Copy link
Contributor

@gals-ma You can use rego/cue rules for many things. We sometimes create policies that enforce things at the cue/rego policy level only (thanks to authorities: [static: {action: pass}]:

spec:
  match:
  - version: "v1"
    resource: "pods"
  images: [glob: '**']
  authorities: [static: {action: pass}]
  mode: warn
  policy:
    includeSpec: true
    type: "cue"
    data: |

However, even if you create one of this CIP, you want to enforce images (services) with the same glob pattern, afaik. A list of CIPs matching the same pattern will be evaluated as an AND, so this might not work for you. That is why I asked to find a way to match your resources, or to place them in different namespaces.

Perhaps we can find a solution for you in the repo policy-controller where there are more 👁️ >👁️ on :).

@hectorj2f
Copy link
Contributor

In relation to what I mentioned above, you can this info https://github.com/sigstore/policy-controller#configuring-policy-at-the-clusterimagepolicy-level:

 by specifying multiple ClusterImagePolicy creates an AND clause so that each ClusterImagePolicy must be satisfied for an admission, and having multiple authorities creates an OR clause so that any matching authority is considered a success, sometimes you may want more flexibility, 

@gals-ma
Copy link
Author

gals-ma commented Feb 28, 2023

Thank you very much for the help! @hectorj2f .
Another question if I can- is there a way to have a 'bypass label' for emergency deploys?
for example, adding a custom label to the resource that will bypass the CIP?

Thanks again for all the help

@hectorj2f
Copy link
Contributor

You could change the CIP setting mode: warn where you get warnings instead of rejected requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
question Further information is requested
Projects
None yet
Development

No branches or pull requests

2 participants