Is your feature request related to a problem? Please describe.
Currently, the Kritis signer binary only accepts a policy file that resides on the local filesystem. In the context of Kritis Signer being containerized (i.e. most cases), the policy file must be "baked" into the container image. This becomes problematic when multiple unique policies are required (maybe due to differing security sensitivity of workloads being analyzed/signed). In this case, it requires creating multiple Kritis signer container images each with a custom baked in policy file.
Describe the solution you'd like
Provide the option of pulling the policy.yaml from an external location, for example GCS. For example using the command line option: "-policy=gs://bucket/path/policy.yaml", with the binary detecting a GCS path and pulling the policy accordingly.
Describe alternatives you've considered
Requires building multiple kritis signer images with the policy.yaml baked in.
Is your feature request related to a problem? Please describe.
Currently, the Kritis signer binary only accepts a policy file that resides on the local filesystem. In the context of Kritis Signer being containerized (i.e. most cases), the policy file must be "baked" into the container image. This becomes problematic when multiple unique policies are required (maybe due to differing security sensitivity of workloads being analyzed/signed). In this case, it requires creating multiple Kritis signer container images each with a custom baked in policy file.
Describe the solution you'd like
Provide the option of pulling the policy.yaml from an external location, for example GCS. For example using the command line option: "-policy=gs://bucket/path/policy.yaml", with the binary detecting a GCS path and pulling the policy accordingly.
Describe alternatives you've considered
Requires building multiple kritis signer images with the policy.yaml baked in.