jiparis
commented
3 months ago I'll reopen the issue, as it will be used as the umbrella for follow up tasks
Open migmartri opened 1 year ago
jiparis
commented
3 months ago I'll reopen the issue, as it will be used as the umbrella for follow up tasks
Currently, no verification is done when an attestation is received in the control plane. Creation and validation checks are done in the client side, but not on the server side.
We should allow operators to attach
regoor potentiallycuepolicies to their contracts and these should get evaluated during the reception of the attestation.We created a task #35 which will get superseded by this functionality since 35 is in fact a policy check that some materials exist and that the runner type is correct.
re: implementation
att pushcommand will too since the check for the first version could be sync.About the policy format.
We should probably aim towards Open Policy Agent (OPA) and leverage (conftest) logic. We should take a look at policy-controller way of doing this
On the UX side of things we could allow attaching a policy to our contract today.
example from policy-controller that could map our current contract too.
using
cueor rego
Note: If we go ahead with the implementation based on an integration. We would need to extend the integrations model to read from its result and apply it to the workflow runs. Currently they are just fire and forget.