search

IBM / portieris

A Kubernetes Admission Controller for verifying image trust.
Apache License 2.0
332 stars 78 forks source link

Inapproriate default clusterimage policy. #94

Closed sjhx closed 4 years ago

sjhx commented 4 years ago

The default cluster image policy requires Docker Content Trust for all images, given that DCT is no longer the only signature mechanism supported this is not appropriate. Also the model we are promoting is strict enforce generally with exceptions at the imagepolicy level which makes less sense if there are alternative kinds of signature enforcement.

We could ship a permissive default with examples of enforcing DCT or simple signing.

What commit ID of Portieris did you experience the problem with?

release 0.6.0

What went wrong?

hard to use simple signing

What should have happened differently?

guided to set appropriate policies

How can it be reproduced?

install

sjhx commented 4 years ago

closed via https://github.com/IBM/portieris/pull/140