[TEP-0091] Update trusted resources feature flag and add condition

This commit proposes to add one more mode into current resource-verification-mode, the new `verify_match` mode can enable the verification occurs only matching policies. And rename the current modes to make them more clear. Besides this commit proposes to add condition into taskrun and pipelinerun to indicate the verification passes or not.
tektoncd · Feb 23, 2023 · 782f142 · 782f142
1 parent d4dabd5
commit 782f142
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 7 deletions.
diff --git a/teps/0091-trusted-resources.md b/teps/0091-trusted-resources.md
@@ -2,7 +2,7 @@
 status: implementable
 title: Trusted Resources
 creation-date: '2022-06-22'
-last-updated: '2022-08-16'
+last-updated: '2023-01-31'
 authors:
 - '@squee1945'
 - '@wlynch'
@@ -267,6 +267,8 @@ metadata:
   name: verification-policy-a
   namespace: resource-namespace
 spec:
+  # mode controls whether a failing policy will be rejected
+  mode: "enforce"
   # resources defines a list of patterns
   resources:
     - pattern: "https://github.com/tektoncd/catalog.git"  #git resource pattern
@@ -289,6 +291,8 @@ spec:
 
 `namespace` should be the same of corresponding resources' namespace.
 
+`mode` controls whether a failing policy will be rejected, can be set to `enforce` or `warn`, by default is `enforce`. If set to `enforce` then failing policy will deny the resource, if set to `warn` then failing policy will only log the warning but allow the resource.
+
 `pattern` is used to filter out remote resources by their sources URL. e.g. git resources pattern can be set to https://github.com/tektoncd/catalog.git. The `pattern` should follow regex schema, we use go regex library's [`Match`](https://pkg.go.dev/regexp#Match) to match the pattern from VerificationPolicy to the `ConfigSource` URL resolved by remote resolution. Note that `.*` will match all resources.
 To learn more about regex syntax please refer to [syntax](https://pkg.go.dev/regexp/syntax). `ConfigSource` is also resolved by remote resolvers, e.g. [gitresolver](https://github.com/tektoncd/pipeline/blob/main/docs/git-resolver.md#resolutionrequest-status).
 To learn more about `ConfigSource` please refer to [ConfigSource](https://github.com/tektoncd/pipeline/blob/main/docs/pipeline-api.md#configsource-1) for more context.
@@ -312,6 +316,11 @@ type VerificationPolicySpec struct {
 	Resources []ResourcePattern `json:"resources"`
 	// Authorities defines the rules for validating signatures.
 	Authorities []Authority `json:"authorities"`
+	// Mode controls whether a failing policy will be rejected (not admitted), or if errors are converted to Warnings.
+	// enforce - Reject (default)
+	// warn - allow but warn
+	// +optional
+  Mode string `json:"mode,omitempty"`
 }
 
 type ResourcesPattern struct {
@@ -377,13 +386,34 @@ metadata:
   name: feature-flag
   namespace: tekton-pipelines
 data:
-  verification-policy: enforce
+  enable-trusted-resource: true
+```
+
+`enable-trusted-resource`. (Optional, `true` or `false`, default `false`):
+ * `true`: Failing verification will mark the taskruns/pipelineruns as failed.
+ * `false`: Directly skip the verification.
+
+
+ ```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: config-trusted-resources
+  namespace: tekton-pipelines
+data:
+  no-match-policy: "deny"
 ```
 
-`verification-policy`. (Optional, `enforce`, `warn` or `skip`, default `skip`):
- * `enforce`: Failing verification will mark the taskruns/pipelineruns as failed.
- * `warn`: Log warning but don't fail the taskruns/pipelineruns.
- * `skip`: Directly skip the verification.
+`no-match-policy`. (Optional, `allow`, `deny` or `warn`, default `deny`):
+ * `deny`: when no matching policies found, reject the resource and fail taskrun/pipelinerun.
+ * `allow`: when no matching policies found, allow the resource.
+ * `warn`: when no matching policies found, allow the resource and log warning.
+
+ **Note:** If users want to have both signed resources and unsigned resources. The `enable-trusted-resource` needs to be set to `true` and `no-match-policy` is set to `allow`. So for signed resources, matched policies can be used to verify. For unsigned resources, no policies will be found so they are allowed.
+
+ #### Condition Update
+
+ Trusted resources should also update the taskrun/pipelinerun’s condition to indicate if it passes verification or not. This can be done via knative api.
 
 ### Integrate with Remote Resource Resolution
 

diff --git a/teps/README.md b/teps/README.md
@@ -260,7 +260,7 @@ This is the complete list of Tekton teps:
 |[TEP-0088](0088-result-summaries.md) | Tekton Results - Record Summaries | proposed | 2021-10-01 |
 |[TEP-0089](0089-nonfalsifiable-provenance-support.md) | Non-falsifiable provenance support | implementable | 2022-01-18 |
 |[TEP-0090](0090-matrix.md) | Matrix | implemented | 2022-06-30 |
-|[TEP-0091](0091-trusted-resources.md) | Trusted Resources | implementable | 2022-08-16 |
+|[TEP-0091](0091-trusted-resources.md) | Trusted Resources | implementable | 2023-01-31 |
 |[TEP-0092](0092-scheduling-timeout.md) | Scheduling Timeout | implementable | 2022-04-11 |
 |[TEP-0093](0093-add-sign-verify-subcommand-to-the-cli.md) | Add sign and verify subcommand to the CLI | proposed | 2022-10-05 |
 |[TEP-0094](0094-configuring-resources-at-runtime.md) | Configuring Resources at Runtime | implemented | 2022-03-11 |