enocom
commented
2 years ago Thanks for the feature request, @mattmoor. This looks like a nice improvement that shouldn't be too much work.
Open mattmoor opened 2 years ago
enocom
commented
2 years ago Thanks for the feature request, @mattmoor. This looks like a nice improvement that shouldn't be too much work.
mattmoor
commented
2 years ago @enocom LMK if I can be helpful at all here. I'm mattmoor on most slack instances if that's easier.
enocom
commented
1 year ago Working through the v2 release and related improvements, I still have this on my radar.
Feature Description
Start to sign the published OCI images using a documented identity.
It looks like you are using Google Cloud Build to publish your images, which @dlorenc added support for to get the
distrolessimages signed, e.g. https://github.com/GoogleContainerTools/distroless/blob/db2d69aa294c7ff414ae12c6ffe578254745a4ca/cloudbuild.yaml#L75Currently, we inject these sidecars alongside a few of our images, and we'd love to be able to author policies stating that the images we pull down must be signed by your release process, e.g.
keyless@cloudsql-docker.iam.gserviceaccount.comAlternatives Considered
N/A
Additional Context
If you use Github actions for your releases this is even easier, and I could probably just send a PR, but either way an admin will have to do a bit of IAM setup to support this.