XML

Word

Printable

Type: Epic
Resolution: Done
Priority: Medium
Fix Version/s: OSC 1.8.0
Affects Version/s: None
Component/s: None
Labels:
None

Epic Name:
Support signed container images
Work Type:
BU Product Work
Blocked:
False
Blocked Reason:
None
Ready:
False
Parent Link:
KATA-3135support signed container images
Color Status:
Not Selected
Epic Status:
To Do
Feature Link:
KATA-3135 - support signed container images
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Intelligence Requested:
Market:
Product Documentation Required:
Yes

Cost of Delay:
0
WSJF:
0
Target Version:

OSC 1.7.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Epic Goal

This epic focuses on allowing workloads to be deployed using signed container images with

Why is this important?

It will allow customers in ARO trying the workflow of signing container images, running and verifying it

Scenarios

Example: Cluster administrator able to configure peer-pods functionality using the OSC operator
...
...

Acceptance Criteria

(The Epic is complete when...)

Downstream configuration changes are in pod vm image.
New dev work in the OSC confidential containers podvm image. Set two hardcoded values in the agent-config.toml:
enable_signature_verification=true - this enables signature verification
image_policy_file=<uri> - this points to the URI of the policy file. I'd suggest picking a value like `kbs:///default/security-policy/osc` or similar
Creating a pod from an unsigned image, on an insecureAcceptAnything registry works.
e.g. use a standard container image for testing e.g. quay.io/prometheus/busybox:latest
Set a permissive policy to trustee with resource path `default/security-policy/osc`:
```
"default": [ { "type": "insecureAcceptAnything" }
]
```
Create the pod and it should start fine
Create a pod from a signed image, on a 'restricted registry' is successful.
Create a signed image to a test registry
Upload the public key to trustee with resource path `default/cosign-public-key/test`
Create a policy and upload to `default/security-policy/osc`:
```
"<test registry>": [ { "type": "sigstoreSigned", "keyPath": "kbs:///default/cosign-public-key/test" }
]
```
Create a pod from the image and check it works
Create a pod from an unsigned image, on a 'restricted registry' is rejected.
Create an unsigned image in a test registry
Upload the (any public key? or resource the one from the previous test) to trustee with resource path `default/cosign-public-key/test`
Create a policy and upload to `default/security-policy/osc`:
```
"<test registry>": [ { "type": "sigstoreSigned", "keyPath": "kbs:///default/cosign-public-key/test" }
]
```
Create a pod from the image and check it fails
Create a pod from a signed image, on a 'restricted registry', but with the wrong key is rejected
Create a signed image to a test registry
Upload a different public key to trustee with resource path `default/cosign-public-key/test`
Create a policy and upload to `default/security-policy/osc`:
```
"<test registry>": [ { "type": "sigstoreSigned", "keyPath": "kbs:///default/cosign-public-key/test" }
]
```
Create a pod from the image and check it fails

Additional context:

Document how to sign a container image. I think https://docs.sigstore.dev/cosign/signing/signing_with_containers/ has the best information
Document how to set the public Key used in the signing to Trustee (e.g. to `kbs:///default/cosign-public-key/osc`)
Document how to write the policy.json for the customer's use case and how to set it as a resource to `default/security-policy/osc` (or wherever) on trustee

Assignee:: Julien ROPE

Reporter:: Julien ROPE

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/06/24 3:06 PM

Updated:: 2024/11/25 2:50 PM

Resolved:: 2024/11/25 2:50 PM

Details

Description

Epic Goal

Why is this important?

Scenarios

Acceptance Criteria

Additional context:

Attachments

Easy Agile Planning Poker

Activity

People

Dates