sse-secure-systems / connaisseur

An admission controller that integrates Container Image Signature Verification into a Kubernetes cluster
https://sse-secure-systems.github.io/connaisseur/
Apache License 2.0
443 stars 62 forks source link

Can cosign retry on transient failure? #725

Open funkypenguin opened 2 years ago

funkypenguin commented 2 years ago

Describe the feature

We frequently see connaisseur errors due to transient Docker Hub failures. It would be helpful if we could configure a retry limit for cosign, to minimize disruption from these failures.

Optional: Is your feature request related to a problem? Please describe.

A transient failure (for example, on Docker Hub) will cause connaisseur to deny an image.

Optional: Implementation ideas

Allow the operator to specify a retry interval for the cosign verify process.

Optional: Additional context

Here's an example of a transient failure:

*CONNAISSEUR rejected a request: Unexpected Cosign exception for image "docker.io/myorg/bank-vaults:1.15.2": 
Error: Get "https://auth.docker.io/token?scope=repository%3Amyorg%2Fbank-vaults%3Apull&service=registry.docker.io": 
EOF
xopham commented 2 years ago

@funkypenguin I think such a feature could be added. It appears a bit strange to counteract unavailability of an external resource, but still though does not strike me as unreasonable.

funkypenguin commented 2 years ago

Thank you :) I'm only seeking a retry if the external resource fails on the first attempt, which (sadly) seems not uncommon with Docker Hub...