XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- blue

Epic Name:
Validate OpenShift release images using sigstore
Work Type:
Strategic Product Work
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Feature Link:
OCPSTRAT-1245 - [Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1
Parent Link:
OCPSTRAT-1245[Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1
Hierarchy Progress Bar:

0% To Do, 0% In Progress, 100% Done
Size:
L
Target Version:

openshift-4.17

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Intelligence Requested:
Market:

OCP/Telco Definition of Done
Epic Template descriptions and documentation.

<--- Cut-n-Paste the entire contents of this description into your new Epic --->

Epic Goal

The goal of this EPIC is to either ship a cluster wide policy (not enabled by default) to verify OpenShift release/payload images or document how end users can create their own policy to verify them.

Why is this important?

We shipped cluster wide policy support in OCPNODE-1628 which should be used for internal components as well.

Scenarios

Validate the sigstore signatures of OpenShift internal images to security harden the cluster deployment.

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.

Dependencies (internal and external)

The payload components as well as the release images for OpenShift 4.16 have to be sigstore signed
There is a limitation in the MCO that ClusterImagePolicy can not set policy.json for the OCP product repo when using wildcards: https://github.com/openshift/machine-config-operator/blob/4b809a4214f/pkg/controller/container-runtime-config/container_runtime_config_controller.go#L1053-L1057
Per: https://github.com/openshift/enhancements/pull/1402#discussion_r1223543692
Workaround: the image scopes have to be fully referenced by digest or tag

Open Questions

How can we ensure no race condition between the CVO policy and CRI-O doing the verification?
Do we need to ensure to have old and new policies in place during an upgrade?

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

is related to

RFE-5694 Expose "is this live?" in ClusterImagePolicy status and other MachineConfig feeders

Backlog

relates to

OTA-1170 [TechPreview] Support verifying release images with Sigstore signatures

Release Pending

OTA-1267 Cincinnati compatibility with Cosign / Sigstore signatures

Closed

links to

OTA-1294: enhancements/security/openshift-image-policy: Propose new enhancement

Assignee:: Sascha Grunert

Reporter:: Neelesh Agrawal

QA Contact:: Min Li

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/04/04 4:12 PM

Updated:: 2024/09/04 7:28 PM

Details

Description

Epic Goal

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Open Questions

Done Checklist

Attachments

Issue Links

Activity

People

Dates