-
Notifications
You must be signed in to change notification settings - Fork 91
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A question about deploying signed and non-signed images combined with glob pattern #476
Comments
@gals-ma could the images be deployed on different namespaces? If so, you just need to label the namespaces where you want to enforce the signature |
Hi Hector, |
Perhaps you could use the spec.match fields to select certain resources using labels. |
To be clear from my first comment, I meant to leave the infrastructure resources under namespaces not labeled with Sigstore label, so you enforce all the others (if you can automatically label the services namespaces). |
Thanks, I also posted in the policy-controller repo as well. |
@gals-ma You can use rego/cue rules for many things. We sometimes create policies that enforce things at the cue/rego policy level only (thanks to
However, even if you create one of this CIP, you want to enforce images (services) with the same glob pattern, afaik. A list of CIPs matching the same pattern will be evaluated as an Perhaps we can find a solution for you in the repo policy-controller where there are more 👁️ >👁️ on :). |
In relation to what I mentioned above, you can this info https://github.com/sigstore/policy-controller#configuring-policy-at-the-clusterimagepolicy-level:
|
Thank you very much for the help! @hectorj2f . Thanks again for all the help |
You could change the CIP setting |
Question
Hello Guys,
Is there a way to achieve the following flow-
Background: We are a company who has all images in one private AWS ECR.
In general, we have 2 types of images that we deploy-
We want to achieve the following Image Policy-
The image glob pattern is the same for both 1+2.
Is there a way to achieve that with Policy-controller?
Thank you!
The text was updated successfully, but these errors were encountered: