search

fluxcd / flux2-multi-tenancy

Manage multi-tenant clusters with Flux
Apache License 2.0
500 stars 250 forks source link

Install Kyverno using signed OCI artifacts #86

Closed stefanprodan closed 2 years ago

stefanprodan commented 2 years ago

Switch the Kyverno source from GitRepository to OCIRepository and enabled Cosign keyless verification of Kyverno OCI artifacts.

From a security perspective, this change is a major improvement towards a safer deploy pipeline for critical cluster addons. Instead of blindly trusting the Kyverno Git repository host, Flux now verifies the authenticity of Kyverno manifests fetched from oci://ghcr.io/kyverno/manifests/kyverno using the public transparency log hosted at rekor.sigstore.dev.

Ref: https://github.com/kyverno/kyverno/pull/4895 https://github.com/kyverno/kyverno/issues/4869

eddycharly commented 2 years ago

It's Kyverno, not Kyveron 😆

stefanprodan commented 2 years ago

@eddycharly fixed lol