If namespace is given to secret ref and it's not the same as in the policy-controller namespace, it should fail.

Question

If namespace is given to secret ref and it's not the same as in the policy-controller namespace, it should fail.

vaikas opened this issue a year ago · comments

Description

User tried to create this CIP:

apiVersion: policy.sigstore.dev/v1alpha1
kind: ClusterImagePolicy
metadata:
  name: tekton-attestation
spec:
  images:
  - glob: "quay.io/raffaelespazzoli/**"
  authorities:
  - name: static-key
    key:
      secretRef:
        namespace: openshift-pipelines

And it did not Fail at creation time. We should make sure that we reject if namespace for secretref is not the same as the one where the policy-controller was installed.

Version

Hector Fernandez · Answer 1 · Sat Feb 11 2023 06:40:34 GMT+0800 (China Standard Time)

But we don't want to allow access to secret in other namespaces to the controller. That is why we only assume it is in the same namespace.

Hector Fernandez · Answer 2 · Sat Feb 11 2023 16:38:01 GMT+0800 (China Standard Time)

For instance, the signaturePullSecrets always look at the namespace where the pod is deployed. Maybe we can find a common solution.

Ville Aikas · Answer 3 · Sun Feb 12 2023 05:51:12 GMT+0800 (China Standard Time)

Yeah, it should be the localobjectreference I think. But what I was trying to say is that it currently silently takes a namespace that we then do not work with. At the very least it should complain and fail.

Hector Fernandez · Answer 4 · Mon Feb 13 2023 20:19:39 GMT+0800 (China Standard Time)

Okay. Let's add a validation error for now. We can change the type to LocalObjectReference when change the api version.