Closed trondat closed 1 year ago
@trondat The policy-controller webhook now requires digest references to validate references since the tag can move. So it is an expected behavior.
IMHO this (new?) behavior is too strict when you just start signing and verifying container images. Is it possible to make this optional? In my use care I don't care about image digests but care about image tags. All my images are signed by me. I "only" want to make sure every single container image from my private registry is built by me.
The decision comes to enforce the security of the verification.
Closing issue has this is related to the policy-controller (then known as cosigned) and is not related to the chart itself
Hi,
When trying to run an image in a namespace that is "cosigned enabled" , the webhook throws an error :
The image is signed with cosign and verified with cosign using the same public key that is used for cosigned on K0s.
The same also applies when trying to deploy an unsigned image.
Any suggestion on what is wrong?