-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Container Image Policy #59
Comments
cc @kubernetes/sig-auth |
@soltysh you were interested in this issue too. |
@erictune thx |
Status update: design proposal is merged: kubernetes/kubernetes#27129 |
Also, @ecordell intends to work on the code for this feature now that the code has been merged. @Q-Lee @erictune @alex-mohr |
Updated the PRs for the current implementation kubernetes/kubernetes#30631 and API changes kubernetes/kubernetes#30241. Looks likely to land for v1.4. @Q-Lee and @ecordell how are y'all feeling? |
@philips API is in! I'm hopeful the implementation will go through today |
kubernetes/kubernetes#30631 is merged |
@philips Are the docs ready? Please update the docs in https://github.com/kubernetes/kubernetes.github.io, and then add PR numbers and check the docs box in the issue description |
Ping. Any update on docs? |
@Q-Lee I'll work on them and have a PR soon |
Docs PR: kubernetes/website#1188 |
For making image policy decisions, it's important that the backend be able to resolve tags to digests so that downstream services see a consistent view of approved images. I've started sketching the changes here (no tests or codegen): kubernetes/kubernetes@master...ecordell:imagereviewwebhook-digest There is some overlap between this and kubernetes/community#132, but mutation is not in the scope of that proposal (simply planned for later). |
Issues go stale after 90d of inactivity. Prevent issues from auto-closing with an If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or |
I recommend further features requests for image policy first be attempted using validating webhooks. |
update non-x86 samples EP to discuss CI
Hey folks, what is the future plan for this feature? I see that it may fit into a native sigstore container image validation support for Kubernetes. |
Description
Organizations wish to avoid running "unapproved" images.
The exact nature of "approval" is beyond the scope of Kubernetes, but may include reasons like:
Progress Tracker
FEATURE_STATUS: Proposal review
The text was updated successfully, but these errors were encountered: