Dynamically resolve tags on image review

grafeas / kritis

Deploy-time Policy Enforcer for Kubernetes applications

https://github.com/grafeas/kritis/blob/master/docs/binary-authorization.md

Apache License 2.0

696 stars 134 forks source link

Dynamically resolve tags on image review #351

Open gmathes opened 5 years ago

gmathes commented 5 years ago

Is your feature request related to a problem? Please describe. We currently create deployments that reference tags within our docker registry. Kritis rejects unqualified images: https://github.com/grafeas/kritis/blob/760951b95e8c3d5adbdcb98567f5df78aaafdb7c/pkg/kritis/admission/owners.go#L82

Describe the solution you'd like We would like Kritis to resolve the tags dynamically when reviewing an image during admission.

Describe alternatives you've considered We are changing our deployment tool to resolve tags before deploying. We would still like the ability to use tags if possible.

Additional context It seems like the function is already available: https://github.com/grafeas/kritis/blob/760951b95e8c3d5adbdcb98567f5df78aaafdb7c/pkg/kritis/kubectl/plugins/resolve/resolve.go#L78

steakunderscore commented 5 years ago

If you have a private repo, then issue #366 would need solving too.

clrprod commented 5 years ago

FYI - Tags are mutable. If you use kritis to validate a container, it doesn't mean that the container that is running in kubernetes matches your resolved container.

steakunderscore commented 5 years ago

Agreed this would only work if Kritis was to be a mutating webhook, editing the pod specs to reference images by digest. So the steps would need to be:

Resolve all image tags to digests
Create the patches to be returned to the k8s API
Validate that attestations are correct

But, since mutating webhooks are invoked before validating webhooks, I don't think the above would work for Kritis. Kritis really needs to be a validating webhook so that it can validate only objects after they have finished being mutated. More info in the docs.

Perhaps a better option is to create a mutating webhook separate to kritis. The mutating webhook's sole job would be to resolve the tags to digests. Perhaps this could still be part of the Kritis/Grafeas ecosystem. Thoughts?

aysylu commented 5 years ago

@gmathes: thanks for filing the GH issue. This need is definitely something that has been communicated by the community, so it's good to have the issue tracking this.

@steakunderscore: I agree that we'll need to take special care about when in the control flow the image tags are resolved. This is especially important since we want to make sure that when we re-admit an image due to pod restarts, we're re-admitting the intended one. I also agree that this would be good to have as part of the Kritis ecosystem. It'd be good to have a document outlining the high-level of the architecture, so we could use it to explain and draw consensus on the exact details of the mechanism. Is this something you'd be interested in taking on? It seems to related to #366.