Details
-
Story
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
None
-
False
-
None
-
False
-
OCPSTRAT-1323 - Sigstore image verification for namespace
-
8
-
OCPNODE Sprint 253 (Blue)
Description
Make sure image validation takes place right after pulling the image using imageService.
- Have imageService.PullImage always return a digested reference to the result of the pull. Sascha’s PR has code for this.
- Add an imageService method to verify a signature on a (userSpecifiedImageName, StorageImageID). Exists in Sascha’s PR, actually that PR does rather more than necessary, especially the duplicate StorageImageID lookups must be dropped.
- Hook that new method into pullImageCandidate on paths where we have a local image with a StorageImageID. Obtain a Kubelet-usable “imageRef”.
- Make sure the current fallback way to obtain imageRef at the end of Server.pullImage is eliminated; imageRef should come from something that enforces signatures.
This will help us validate an image right after pulling it for namespaced policies - https://redhat-internal.slack.com/archives/CK1AE4ZCK/p1712763142542329