XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: None
Component/s: None
Labels:
- 4.20-candidate
- blue

Epic Name:
Validate OpenShift release images using sigstore
Work Type:
Strategic Product Work
Blocked:
False
Blocked Reason:
None
Ready:
False
Color Status:
Not Selected
Epic Status:
To Do
Feature Link:
OCPSTRAT-1930 - [GA] Add sigstore signatures to core OCP payload and enable verification- phase 2
Parent Link:
OCPSTRAT-1930[GA] Add sigstore signatures to core OCP payload and enable verification- phase 2
Hierarchy Progress Bar:

100% To Do, 0% In Progress, 0% Done
Size:
L

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

Intelligence Requested:
Market:

Epic Goal

The goal of this EPIC is to either ship a cluster wide policy enabled by default to verify OpenShift release/payload images or document how end users can create their own policy to verify them. The verification should encompass not just the release payload image but also all the component images.

Why is this important?

We shipped cluster wide policy support in OCPNODE-1628 which should be used for internal components as well.

Scenarios

Validate the sigstore signatures of OpenShift internal images to security harden the cluster deployment.

Acceptance Criteria

CI - MUST be running successfully with tests automated
Release Technical Enablement - Provide necessary release enablement details and documents.

Dependencies (internal and external)

All image signatures of all OCP payload images need to be made available in a disconnected environment by a customer to enable the enhanced scope proposed by this epic, given the amount of signatures we need to have at least OCPSTRAT-1869 land
The payload components as well as the release images for OpenShift 4.16 have to be sigstore signed
There is a limitation in the MCO that ClusterImagePolicy can not set policy.json for the OCP product repo when using wildcards: https://github.com/openshift/machine-config-operator/blob/4b809a4214f/pkg/controller/container-runtime-config/container_runtime_config_controller.go#L1053-L1057
Per: https://github.com/openshift/enhancements/pull/1402#discussion_r1223543692
Workaround: the image scopes have to be fully referenced by digest or tag

Open Questions

How can we ensure no race condition between the CVO policy and CRI-O doing the verification?
Do we need to ensure to have old and new policies in place during an upgrade?

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Downstream documentation merged: <link to meaningful PR>

is blocked by

OCPSTRAT-1417 oc-mirror automatically detects and mirror SigStore-style attachments

OCPSTRAT-1869 [Phase 1: Cosign tag-based discovery] oc-mirror v2: Discover and mirror SigStore-style attachments

Refinement

Assignee:: Unassigned

Reporter:: Daniel Messer

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2025/02/13 3:46 PM

Updated:: 2025/03/07 6:53 PM

Details

Description

Epic Goal

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Open Questions

Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates