Giters

sigstore / policy-controller

Sigstore Policy Controller - an admission controller that can be used to enforce policy on a Kubernetes cluster based on verifiable supply-chain metadata from cosign

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

A question about deploying signed and non-signed images combined with glob pattern

gals-ma opened this issue · comments

commented

Question

Hello Guys,

Is there a way to achieve the following flow-

Background: We are a company who has all images in one private AWS ECR.
In general, we have 2 types of images that we deploy-

Infrastructure related images (K8S components such as monitoring agents, etc..)- Deployed on various Namespaces.
Services images (All our micro-services) - Deployed only on a specific Namespace
We want to achieve the following Image Policy-

To summarized, we need all namespaces to be enforced with policy-controller-

  • Namespace of Services images must be deployed with signature validation + image glob validation.
  • Namespace of Infrastructure related images are deployed without signature validation + image glob validation.
    The image glob pattern is the same for both 1+2.

Is there a way to achieve that with Policy-controller?

Thank you!

commented

For context sharing, we initially started discussing options here sigstore/helm-charts#476. So we moved this issue here :) .