Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Container Image Policy #59

Closed
6 of 21 tasks
philips opened this issue Jul 23, 2016 · 18 comments
Closed
6 of 21 tasks

Container Image Policy #59

philips opened this issue Jul 23, 2016 · 18 comments
Assignees
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Milestone

Comments

@philips
Copy link
Contributor

philips commented Jul 23, 2016

Description

Organizations wish to avoid running "unapproved" images.

The exact nature of "approval" is beyond the scope of Kubernetes, but may include reasons like:

  • only run images that are scanned to confirm they do no contain vulnerabilities
  • only run images that use a "required" base image
  • only run images that contain binaries which were built from peer reviewed, checked-in source by a trusted compiler toolchain.
  • etc...

Progress Tracker

FEATURE_STATUS: Proposal review

@idvoretskyi
Copy link
Member

cc @kubernetes/sig-auth

@idvoretskyi idvoretskyi added this to the v1.4 milestone Jul 25, 2016
@erictune
Copy link
Member

@soltysh you were interested in this issue too.

@idvoretskyi idvoretskyi added the sig/auth Categorizes an issue or PR as relevant to SIG Auth. label Jul 25, 2016
@soltysh
Copy link
Contributor

soltysh commented Jul 25, 2016

@erictune thx

@philips
Copy link
Contributor Author

philips commented Aug 5, 2016

Status update: design proposal is merged: kubernetes/kubernetes#27129

@philips
Copy link
Contributor Author

philips commented Aug 5, 2016

Also, @ecordell intends to work on the code for this feature now that the code has been merged. @Q-Lee @erictune @alex-mohr

@philips
Copy link
Contributor Author

philips commented Aug 17, 2016

Updated the PRs for the current implementation kubernetes/kubernetes#30631 and API changes kubernetes/kubernetes#30241. Looks likely to land for v1.4. @Q-Lee and @ecordell how are y'all feeling?

@Q-Lee
Copy link

Q-Lee commented Aug 17, 2016

@philips It's looking good.

@philips The API is being tested in the merge queue atm, and the implementation is close to an lgtm. I'm setting up a test for gce/gci on top of ecordell's changes atm.

@ecordell
Copy link
Contributor

@philips API is in! I'm hopeful the implementation will go through today

@ecordell
Copy link
Contributor

kubernetes/kubernetes#30631 is merged

@janetkuo
Copy link
Member

janetkuo commented Sep 2, 2016

@philips Are the docs ready? Please update the docs in https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and check the docs box in the issue description

@jaredbhatti
Copy link

Ping. Any update on docs?

@Q-Lee
Copy link

Q-Lee commented Sep 7, 2016

@philips @ecordell What are the plans for the docs with this?

@ecordell
Copy link
Contributor

ecordell commented Sep 7, 2016

@Q-Lee I'll work on them and have a PR soon

@ecordell
Copy link
Contributor

ecordell commented Sep 8, 2016

Docs PR: kubernetes/website#1188

@ecordell
Copy link
Contributor

For making image policy decisions, it's important that the backend be able to resolve tags to digests so that downstream services see a consistent view of approved images.

I've started sketching the changes here (no tests or codegen):

kubernetes/kubernetes@master...ecordell:imagereviewwebhook-digest

There is some overlap between this and kubernetes/community#132, but mutation is not in the scope of that proposal (simply planned for later).

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 2, 2018
@erictune
Copy link
Member

erictune commented Jan 3, 2018

I recommend further features requests for image policy first be attempted using validating webhooks.

@erictune erictune closed this as completed Jan 3, 2018
ingvagabund pushed a commit to ingvagabund/enhancements that referenced this issue Apr 2, 2020
update non-x86 samples EP to discuss CI
@saschagrunert
Copy link
Member

Hey folks, what is the future plan for this feature? I see that it may fit into a native sigstore container image validation support for Kubernetes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. sig/auth Categorizes an issue or PR as relevant to SIG Auth.
Projects
None yet
Development

No branches or pull requests