cosigned webhook should resolve tags to digests
#784
Labels
bug
Something isn't working
Comments
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change makes `cosigned` reject tag references, which can drift after validation has occured rendering the validation we perform ineffective. This also adds unit test coverage for the bulk of the `webhook` package. A subsequent change will introduce a mutating webhook that resolves tags to digests (we still need to validating webhook due to webhook ordering). Related: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
that referenced
this issue
Sep 25, 2021
This change makes `cosigned` reject tag references, which can drift after validation has occured rendering the validation we perform ineffective. This also adds unit test coverage for the bulk of the `webhook` package. A subsequent change will introduce a mutating webhook that resolves tags to digests (we still need to validating webhook due to webhook ordering). Related: #784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mattmoor
added a commit
to mattmoor/cosign
that referenced
this issue
Sep 25, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com>
dlorenc
pushed a commit
that referenced
this issue
Sep 26, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in #799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: #784 Signed-off-by: Matt Moore <mattomata@gmail.com>
mrjoelkamp
pushed a commit
to mrjoelkamp/cosign
that referenced
this issue
Sep 28, 2021
This change makes `cosigned` reject tag references, which can drift after validation has occured rendering the validation we perform ineffective. This also adds unit test coverage for the bulk of the `webhook` package. A subsequent change will introduce a mutating webhook that resolves tags to digests (we still need to validating webhook due to webhook ordering). Related: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
mrjoelkamp
pushed a commit
to mrjoelkamp/cosign
that referenced
this issue
Sep 28, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
mrjoelkamp
pushed a commit
to mrjoelkamp/cosign
that referenced
this issue
Sep 28, 2021
This change makes `cosigned` reject tag references, which can drift after validation has occured rendering the validation we perform ineffective. This also adds unit test coverage for the bulk of the `webhook` package. A subsequent change will introduce a mutating webhook that resolves tags to digests (we still need to validating webhook due to webhook ordering). Related: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
mrjoelkamp
pushed a commit
to mrjoelkamp/cosign
that referenced
this issue
Sep 28, 2021
This change introduces a mutating webhook to complement our validating webhook. The validating webhook in sigstore#799 began rejecting tag reference because tags are mutable and can drift between validation and resolution by the kubelet. This change introduces a mutating webhook that resolves tags to digests as resources are created, so that users aren't necessarily forced to provide digests, but we get the benefits of them nonetheless. Fixes: sigstore#784 Signed-off-by: Matt Moore <mattomata@gmail.com> Signed-off-by: Joel Kamp <joel.kamp@invitae.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Description
tl;drThis is similar to #648 (albeit with a less sensational title); essentially, if we allow tags to pass through thecosignedwebhook, even if they are verified, we are leaving folks open to problems.One option here would be to simply outright reject non-Digest requests, which we probably should be doing in pure validation contexts.
Another option here would be to actually support running
cosignedas a mutating webhook as well (trivial with the knative infra), and simply mutate the image references to be their resolve digests as we verify them.In fact, if we simply set:
Then when this logic is run as a mutating webhook, the infra will automagically synthesize the appropriate patches to affect the digest resolution.
cc @dlorenc @mlieberman85 @dekkagaijin
The text was updated successfully, but these errors were encountered: