-
Epic
-
Resolution: Done
-
Normal
-
None
-
None
-
None
-
Validate OpenShift release images using sigstore
-
BU Product Work
-
False
-
None
-
False
-
Not Selected
-
To Do
-
OCPSTRAT-1245 - [Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1
-
OCPSTRAT-1245[Tech Preview]Add sigstore signatures to core OCP payload and enable verification- phase 1
-
0% To Do, 0% In Progress, 100% Done
-
L
OCP/Telco Definition of Done
Epic Template descriptions and documentation.
<--- Cut-n-Paste the entire contents of this description into your new Epic --->
Epic Goal
The goal of this EPIC is to either ship a cluster wide policy (not enabled by default) to verify OpenShift release/payload images or document how end users can create their own policy to verify them.
Why is this important?
We shipped cluster wide policy support in OCPNODE-1628 which should be used for internal components as well.
Scenarios
- Validate the sigstore signatures of OpenShift internal images to security harden the cluster deployment.
Acceptance Criteria
- CI - MUST be running successfully with tests automated
- Release Technical Enablement - Provide necessary release enablement details and documents.
Dependencies (internal and external)
- The payload components as well as the release images for OpenShift 4.16 have to be sigstore signed
- There is a limitation in the MCO that ClusterImagePolicy can not set policy.json for the OCP product repo when using wildcards: https://github.com/openshift/machine-config-operator/blob/4b809a4214f/pkg/controller/container-runtime-config/container_runtime_config_controller.go#L1053-L1057
Per: https://github.com/openshift/enhancements/pull/1402#discussion_r1223543692
Workaround: the image scopes have to be fully referenced by digest or tag
Open Questions
- How can we ensure no race condition between the CVO policy and CRI-O doing the verification?
- Do we need to ensure to have old and new policies in place during an upgrade?
Done Checklist
- CI - CI is running, tests are automated and merged.
- Release Enablement <link to Feature Enablement Presentation>
- DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
- DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
- DEV - Downstream build attached to advisory: <link to errata>
- QE - Test plans in Polarion: <link or reference to Polarion>
- QE - Automated tests merged: <link or reference to automated tests>
- DOC - Downstream documentation merged: <link to meaningful PR>