Open slimm609 opened 1 year ago
hectorj2f
commented
1 year ago @slimm609 Perhaps this is something we could extend with the current resource selector. At the moment, the namespaces are not included as valid resource type selectors, but we could add it.
slimm609
commented
1 year ago Wouldn’t that require an update to the policy each time there was a new namespace created? Like the opt-in namespace label, it would be much more flexible to allow on the namespace
https://capsule.clastix.io/docs/general/tenant-crd#tenant
if you look at something like capsule for multi tenant, there are additional labels that can be auto applied to all namespaces a tenant creates which would allow for the ability to mandate a policy for all their namespaces without having to update anytime someone creates a namespace
hectorj2f
commented
1 year ago @slimm609 Yes, that means you will have to add the labels in the CIP to apply to different namespaces/labels.
I don't know about capsule, but I know of many controllers adding labels for all the owned resources. Could you add an example on how you expect the CIP controller will match these auto-applied labels to CIPs ?
hectorj2f
commented
1 year ago @slimm609 I believe we could add support for namespace to the new spec.match so a namespace with a specific label (on top of the current label sigstore/include=true) would work.
NissesSenap
commented
1 year ago @hectorj2f personally I'm leaning more towards creating a new resource called ImagePolicy that only applies on namespace level.
This way you don't have to write any painful matchers, it's currently rather painful to write them since you have to read the code to know which resources that currently is supported.
It would also lower the risk of writing a bad clusterImagePolicy that enforces some really specific policy which potentially could break the possibility to deploy any new pods.
It would also enable you to write a generic cluster wide policy that meets a minimal requirement for everything but you could also have a more specific rule per namespace. I understand that this is already possible with help of multiple clusterImagePollicy but it can become painful to manage with multiple policies after a while.
But I also understand the reluctance of doing this. Have there been any discussion around a imagepolicy that applies to namespace earlier?
hectorj2f
commented
1 year ago @NissesSenap We are gonna add a new type to handle namespaced policy enforcement instead of reusing the current API type.
Today if you have multiple ClusterImagePolicy resources, there is no easy way to restrict them in a mutli-tenant environment by namespace. If you have 2 teams,
teamAandteamB, they want to both sign their own images but only want images signed by their own key to run in their own namespace.Adding an additional label to be able to only allow validation against a specific policy, would allow a reduced scope of which policy can be used to validate a specific namespace.
This would cause anything from teamB to fail in the namespace that is only allowed to use the teamA policy.