Details
-
Story
-
Resolution: Unresolved
-
Undefined
-
None
-
None
-
None
-
False
-
None
-
False
-
OCPSTRAT-1323 - Sigstore image verification for namespace
Description
Container images need to be validated before starting a container.
- Add signature verification to runtimeService.CreatePodSandbox on the code path where the image already exists locally (to deal with a malicious user causing that image to be pulled under an unexpected policy).
- Hook up that same new method to verify a signature into the container create path. One attractive option is to do that immediately after HeuristicallyTryResolvingStringAsIDPrefix/CandidatesForPotentiallyShortImageName obtain a StorageImageID in Server.createSandboxContainer , but Server.CreateContainer has a separate code path for “checkpoint images” first — quite possibly we should check the signature before. That is the only known part which requires research and/or restructuring.
discussion around this topic - https://redhat-internal.slack.com/archives/CK1AE4ZCK/p1712763142542329