Uploaded image for project: 'OpenShift Node'
  1. OpenShift Node
  2. OCPNODE-2231

Validate OpenShift release images using sigstore

XMLWordPrintable

    • Icon: Epic Epic
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • Validate OpenShift release images using sigstore
    • BU Product Work
    • False
    • None
    • False
    • Not Selected
    • To Do
    • OCPSTRAT-1245 - [Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1
    • OCPSTRAT-1245[Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1
    • 0% To Do, 0% In Progress, 100% Done
    • L

      OCP/Telco Definition of Done
      Epic Template descriptions and documentation.

      <--- Cut-n-Paste the entire contents of this description into your new Epic --->

      Epic Goal

      The goal of this EPIC is to either ship a cluster wide policy (not enabled by default) to verify OpenShift release/payload images or document how end users can create their own policy to verify them.

      Why is this important?

      We shipped cluster wide policy support in OCPNODE-1628 which should be used for internal components as well.

      Scenarios

      1. Validate the sigstore signatures of OpenShift internal images to security harden the cluster deployment.

      Acceptance Criteria

      • CI - MUST be running successfully with tests automated
      • Release Technical Enablement - Provide necessary release enablement details and documents.

      Dependencies (internal and external)

      Open Questions

      • How can we ensure no race condition between the CVO policy and CRI-O doing the verification?
      • Do we need to ensure to have old and new policies in place during an upgrade?

      Done Checklist

      • CI - CI is running, tests are automated and merged.
      • Release Enablement <link to Feature Enablement Presentation>
      • DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
      • DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
      • DEV - Downstream build attached to advisory: <link to errata>
      • QE - Test plans in Polarion: <link or reference to Polarion>
      • QE - Automated tests merged: <link or reference to automated tests>
      • DOC - Downstream documentation merged: <link to meaningful PR>

              sgrunert@redhat.com Sascha Grunert
              nagrawal@redhat.com Neelesh Agrawal
              Min Li Min Li
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: