Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1585

[Tech Preview]Add sigstore signatures to core OCP payload and enable verification - phase 2

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 100% To Do, 0% In Progress, 0% Done
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      Note: There is no work pending from OTA team. The Jira tracks the work pending from other teams.

      Add sigstore signatures to core OCP payload and enable verification. Verification is now done via CRIO.
      There is no CVO work in this feature and this is a Tech Preview change.
      OpenShift Release Engineering can leverage a mature signing and signature verification stack instead of relying on simple signing

      enhancement - https://github.com/openshift/enhancements/blob/49e25242f5105259d539a6c586c6b49096e5f201/enhancements/api-review/add-ClusterImagePolicy-and-ImagePolicy-for-Signature-Verification.md

      Goals (aka. expected user outcomes)

      Customers can leverage OpenShift to create trust relationships for running OCP core container images
      Specifically, customers can trust signed images from a Red Hat registry and OCP can verify those signatures

       

      Requirements (aka. Acceptance Criteria):

      A list of specific needs or objectives that a feature must deliver in order to be considered complete.  Be sure to include nonfunctional requirements such as security, reliability, performance, maintainability, scalability, usability, etc.  Initial completion during Refinement status.

      <enter general Feature acceptance here>
      – Kubelet/CRIO to verify RH images & release payload sigstore signatures
      – ART will add sigstore signatures to core OCP images

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      These acceptance criteria are for all deployment flavors of OpenShift.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both both
      Classic (standalone cluster) yes
      Hosted control planes yes
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network  
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x)  
      Operator compatibility  
      Backport needed (list applicable versions)   Not Applicable
      UI need (e.g. OpenShift Console, dynamic plugin, OCM) none, 
      Other (please specify)  

       

       

      Documentation Considerations

      Add documentation for sigstore verification and gpg verification

      Interoperability Considerations

      For folks mirroring release images (e.g. disconnected/restricted-network):

      • oc-mirror need to support sigstore mirroring (OCPSTRAT-1417).
      • Customers using BYO image registries need to support hosting sigstore signatures.

            rh-ee-smodeel Subin M
            knewcome@redhat.com Kirsten Newcomer
            Beth White, Marcos Entenza Garcia, W. Trevor King
            Yang Yang Yang Yang
            Stephanie Stout Stephanie Stout
            Justin Pierce Justin Pierce
            Subin M Subin M
            Eric Rich Eric Rich
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated: