[TEP-0091] Update trusted resources feature flag and add condition

[Yongxuanzhang]

This commit proposes to

1. add mode field intoVerificationPolicy, update the feature flag to verification-no-match-policy with allow / warn / deny
2. add condition into taskrun and pipelinerun to indicate the verification passes or not.

[Yongxuanzhang]

Hi @afrittoli @wlynch @bobcatfish @jagathprakash
This is a proposal to update the trusted resources tep, plz take a look and share your comments.
Thanks!

[jerop]

/kind tep

[pritidesai]

API WG - waiting for the review

/assign @jagathprakash
/assign @afrittoli

[tekton-robot]

@pritidesai: GitHub didn't allow me to assign the following users: jagathprakash.

Note that only tektoncd members, repo collaborators and people who have commented on this issue/PR can be assigned. Additionally, issues/PRs can only have 10 assignees at the same time.
For more information please see the contributor guide

In response to this:

API WG - waiting for the review

/assign @jagathprakash
/assign @afrittoli

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jagathprakash]

/lgtm

[tekton-robot]

@jagathprakash: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[wlynch]

I don't think this is a good idea to support globally, though I get why we'd want something like this for incremental adoption. It would be generally be bad if Tasks could circumvent verification just by renaming to something that's not covered by policy, and new Tasks that are probably riskier would be exempted by default since they're unlikely to match existing policies.

Instead of making verification opt-in, it would probably be safer to make the mode opt-out on a per-policy basis (see ClusterImagePolicySpec.mode for an example). This way things are directed to the more secure way by default, forcing users to either configure the matching policy or explicitly opt out the Tasks.

[Yongxuanzhang]

Thanks! That makes sense. By looking at the ClusterImagePolicySpec.mode. How about changing the verify_match to:

1. If found matched polices then verify and fail
2. If no matched policies then warn

[wlynch]

Preferring warn over skip generally sounds good, but that doesn't address the larger problem of opt-in enforcement and the ability to evade enforcement by crafting a non-matching artifact. 😢

Having policies that opt-out matching patterns seems like a better global policy - this way new artifacts that we haven't encountered before (whether they are malicious or not) can't bypass enforcement.

[wlynch]

Followed up with @Yongxuanzhang off thread -

We're leaning towards modifying this slightly by:

1. adding a mode field to VerificationPolicy to control allow/warn behavior rather than having a global config map value.
2. Modifying resources-verification-mode to specify the action to take if no policy matches (we may rename this to make the behavior clearer).

If you want to have the same affect as what is proposed for verify-match, you can achieve this in one of 2 ways:

1. Set ConfigMap resources-verification-mode: enforce, then define a policy like:

   apiVersion: tekton.dev/v1alpha1
   kind: VerificationPolicy
   metadata:
     name: foo
   spec:
     resources:
       - pattern: ".*"
     mode: warn

   Ideally this should be scoped to only a few sets of resources, and acts as an allowlist. Ideally for cases like "we want to enforce everything, but we know a set of resources isn't signed yet so we will allow those". Enforce mode policies would take precedence over warn.

2. Set ConfigMap resources-verification-mode: warn, then define a policy like:

   apiVersion: tekton.dev/v1alpha1
   kind: VerificationPolicy
   metadata:
     name: foo
   spec:
     resources:
       - pattern: "https://github.com/tektoncd/catalog.git"
     mode: enforce  # this would be the default so could also be omitted.

   This would be closer to what was originally proposed for resources-verification-mode: verify_match - i.e. only enforce matching policies without an explicit opt-out policy.

Much of this was inspired by https://github.com/sigstore/policy-controller so, feel free to take a look there to read up on additional background.

We'll plan to discuss this more in next week's s3c working group, so please join if you have thoughts / opinions! 🙏

[Yongxuanzhang]

/assign @bobcatfish

[Yongxuanzhang]

/assign @jagathprakash

[jerop]

Thanks for the addressing my feedback, the conditions are much clearer now 🎉

[jerop]

Suggested change

	message: resource verification failed
	message: Trusted resource verification failed

[jerop]

@afrittoli @bobcatfish @jagathprakash @wlynch please take another look 🙏🏾

[jerop]

once all assignees have approved, feel free to unhold (just don't want it to merge accidentally)

[wlynch]

/lgtm

[bobcatfish]

Thanks for all the updates @Yongxuanzhang ! There's one last nit from me about referring to the "knative API" but nothing blocking

/approve

[bobcatfish]

I think this is already on your radar, but please send a notification to tekton-dev@ and tekton-users@ to warn folks this is going to happen within one release, with some warning (at least a week I'm thinking?) before the release goes out 🙏

[tekton-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bobcatfish, jerop

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• teps/OWNERS [bobcatfish,jerop]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[Yongxuanzhang]

/hold cancel

[wlynch]

/lgtm