You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Describe the feature request.
I need to apply a cluster-wide image verification policy using a custom Notary server, verifying that the digests are signed by my private key.
If I understand the current situation correctly:
A ClusterImagePolicy applies to all pods regardless of namespsace.
It can be configured with the "trust" policy option in order to verify against a Notary server
It can also be configured with "signerSecrets" . If this is done, Portieris fetches the specified Secrets object from Kubernetes and verifies that the digest pulled from Notary has been signed by that key.
The problem is that, while "signerSecrets" takes a "name" option, it doesn't take a "namespace". Instead, it uses the namespace of the pod being verified. So, if I want all pods to be verified using the same key, I need to to clone the signerSecrets object in every namespace, which is the kind of thing that a ClusterImagePolicy is supposed to avoid.
Describe the solution that you'd like
signerSecrets takes an optional "namespace" field. If that is defined, Portieris fetches the secret with the specified namespace, rather than the namespace of the pod being verified.
Describe alternatives you've considered
The "keySecretNamespace" option added here addresses a similar problem, but it only seems to be available for "simple" policies that do not define a Notary server.
Additional context
Add any other context or screenshots about the feature request.
The text was updated successfully, but these errors were encountered:
Is your feature request related to a problem? Describe the feature request.
I need to apply a cluster-wide image verification policy using a custom Notary server, verifying that the digests are signed by my private key.
If I understand the current situation correctly:
The problem is that, while "signerSecrets" takes a "name" option, it doesn't take a "namespace". Instead, it uses the namespace of the pod being verified. So, if I want all pods to be verified using the same key, I need to to clone the signerSecrets object in every namespace, which is the kind of thing that a ClusterImagePolicy is supposed to avoid.
Describe the solution that you'd like
signerSecrets takes an optional "namespace" field. If that is defined, Portieris fetches the secret with the specified namespace, rather than the namespace of the pod being verified.
Describe alternatives you've considered
The "keySecretNamespace" option added here addresses a similar problem, but it only seems to be available for "simple" policies that do not define a Notary server.
Additional context
Add any other context or screenshots about the feature request.
The text was updated successfully, but these errors were encountered: