Caching for same image verification vs automatic child approval #636
-
Is there any caching involved when specs refer to the same image which has been validated ? Second question is regarding secrets, to use connaisseur in our cluster for infra as well as tenant namespaces, we should have ability of tenant images being able to be verified by their own keys vs infra images verified by a different key. This is possible using policy patterns and validators to indicate different keys for different image prefix/pattern. If images were from different registries , can we specify auth for each validator ? https://sse-secure-systems.github.io/connaisseur/v2.1.2/validators/sigstore_cosign/#authentication - "It is possible to provide one Kubernetes secret with a config.json for authentication to multiple private registries and referencing this in multiple validators." ---
policy:
-
pattern: "quay.io/team/component*:*"
validator: infra-imagevalidator
with:
key: key1
-
pattern: "tenant.registry/team/component*:*"
validator: tenant-imagevalidator
with:
key: key1
validators:
-
auth:
secret_name: quay-secret
name: infra-imagevalidator
trust_roots:
-
key: |
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
name: key1
type: cosign
-
auth:
secret_name: tenant-registry-secret
name: tenant-imagevalidator
trust_roots:
-
key: |
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----
name: key1
type: cosign
|
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 5 replies
-
Regarding the first question. No, currently we have no caching mechanism in place that will remember previously validated images, but its definitely something we want to tackle going forward. Specifically by reworking the automatic child approval. Speaking of automatic child approval, the point of this feature is as follows. When you submit a deployment to the kube api, Connaisseur will validate the included image, which lets say is For the second question. Yes totally, you can do that. That's specifically how the system was designed. All validator are independent of each other and you can mix-mash different image patterns with different validators, however you feel like. Feel free to ask any followup questions, should something still be unclear or not work. |
Beta Was this translation helpful? Give feedback.
-
@phbelitz , @xopham - One more question regarding this just to confirm. Does validation happen for existing images? Seems to be the case per my testing, as I', trying to get some stats on any performance implications on large zones on introducing connaissuer admission controller in our flow. Do we have any benchmarking numbers that you can point me to - I do not see them on the connaiseur docs. |
Beta Was this translation helpful? Give feedback.
Regarding the first question. No, currently we have no caching mechanism in place that will remember previously validated images, but its definitely something we want to tackle going forward. Specifically by reworking the automatic child approval.
Speaking of automatic child approval, the point of this feature is as follows. When you submit a deployment to the kube api, Connaisseur will validate the included image, which lets say is
image:tag
. This will get mutated toimage:digest
and then applied to the cluster. The creation of the deployment will spawn pods, which already include the mutatedimage:digest
references. The images first of all already got validated (during validation of the…