jtoberon
commented
5 years ago Related to #43
Open jpoley opened 5 years ago
jtoberon
commented
5 years ago Related to #43
dlorenc
commented
2 years ago There are a few open source options for this now. We outlined one here: https://blog.chainguard.dev/cosigned-up-and-running-on-eks/
Kyverno also supports this, and there's an experimental data provider in OPA gatekeeper, that all work with EKS and ECR.
https://kyverno.io/docs/writing-policies/verify-images/
https://github.com/developer-guy/container-image-sign-and-verify-with-cosign-and-opa
Tell us about your request EKS support for Image signing with SHA hash (via ECR) like is supported here https://aws.amazon.com/about-aws/whats-new/2019/10/amazon-ecs-now-supports-ecs-image-sha-tracking/
Which service(s) is this request for? this is for EKS this capability exists already in ECR (for ECS)
Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard? trying to make sure only signed images are run on the EKS cluster. signed from the specific CICD build/deploy process
Are you currently working around this issue? I do not yet have a workaround, was hoping for a generic pattern.
Additional context this could possibly be done via open policy agent. https://github.com/open-policy-agent/opa