A question about deploying signed and non-signed images combined with glob pattern

[gals-ma]

Question

Hello Guys,

Is there a way to achieve the following flow-

Background: We are a company who has all images in one private AWS ECR.
In general, we have 2 types of images that we deploy-

1. Infrastructure related images (K8S components such as monitoring agents, etc..)- Deployed on various Namespaces.
2. Services images (All our micro-services) - Deployed only on a specific Namespace

We want to achieve the following Image Policy-

1. Services images must be deployed with signature validation + image glob validation.
2. Infrastructure related images are deployed without signature validation + image glob validation.

The image glob pattern is the same for both 1+2.

Is there a way to achieve that with Policy-controller?

Thank you!

[hectorj2f]

@gals-ma could the images be deployed on different namespaces? If so, you just need to label the namespaces where you want to enforce the signature

[gals-ma]

@gals-ma could the images be deployed on different namespaces? If so, you just need to label the namespaces where you want to enforce the signature

Hi Hector,
It is on a different namespace, but we still want to enforce that we deploy images from a given ECR glob pattern on all namespaces, if I exclude a namespace then it will not enforce this..

[hectorj2f]

Perhaps you could use the spec.match fields to select certain resources using labels.
Also, I will suggest to create this issue under Sigstore/policy-controller repo.

[hectorj2f]

To be clear from my first comment, I meant to leave the infrastructure resources under namespaces not labeled with Sigstore label, so you enforce all the others (if you can automatically label the services namespaces).

[gals-ma]

To be clear from my first comment, I meant to leave the infrastructure resources under namespaces not labeled with Sigstore label, so you enforce all the others (if you can automatically label the services namespaces).

Thanks, I also posted in the policy-controller repo as well.
One more question, do you know if this can be achieved using attestations with rego rule?
Meaning, a Rego rule that will check if the namespace equals 'mynamespace'?

[hectorj2f]

@gals-ma You can use rego/cue rules for many things. We sometimes create policies that enforce things at the cue/rego policy level only (thanks to authorities: [static: {action: pass}]:

spec:
  match:
  - version: "v1"
    resource: "pods"
  images: [glob: '**']
  authorities: [static: {action: pass}]
  mode: warn
  policy:
    includeSpec: true
    type: "cue"
    data: |

However, even if you create one of this CIP, you want to enforce images (services) with the same glob pattern, afaik. A list of CIPs matching the same pattern will be evaluated as an AND, so this might not work for you. That is why I asked to find a way to match your resources, or to place them in different namespaces.

Perhaps we can find a solution for you in the repo policy-controller where there are more 👁️ >👁️ on :).

[hectorj2f]

In relation to what I mentioned above, you can this info https://github.com/sigstore/policy-controller#configuring-policy-at-the-clusterimagepolicy-level:

 by specifying multiple ClusterImagePolicy creates an AND clause so that each ClusterImagePolicy must be satisfied for an admission, and having multiple authorities creates an OR clause so that any matching authority is considered a success, sometimes you may want more flexibility, 

[gals-ma]

Thank you very much for the help! @hectorj2f .
Another question if I can- is there a way to have a 'bypass label' for emergency deploys?
for example, adding a custom label to the resource that will bypass the CIP?

Thanks again for all the help

[hectorj2f]

You could change the CIP setting mode: warn where you get warnings instead of rejected requests.