-
Story
-
Resolution: Unresolved
-
Critical
-
None
-
None
Add support for signed image support when creating pod VM image.
Resources
Update (Oct 29): This task will probably require the following changes:
- Signing a container image with Cosign (new procedure module).
- Adding public key to Trustee (update Trustee secret or not?)
- Adding key to peer pods config map (Update Updating peer pods config map?)
- Creating attestation policy (update Attestation policies)
- Adding attestation policy to Trustee (update Trustee config map. (Might be a good idea to move Trustee config map so that it appears after the attestation policies)
Background
from parent epic:
- Document how to sign a container image. I thinkĀ https://docs.sigstore.dev/cosign/signing/signing_with_containers/ has the best information (Jens to find out whether key is stored in Azure vault or elsewhere)
- Document how to set the public Key used in the signing to Trustee (e.g. to `kbs:///default/cosign-public-key/osc`)
- Document how to write the policy.json for the customer's use case and how to set it as a resource to `default/security-policy/osc` (or wherever) on trustee
- OSC 1.8.0 changes