Feature Overview (aka. Goal Summary)  

Leverage ImagePolicy definitions in all OpenShift core system namespaces to enforce that only pods with Red Hat-signed OpenShift images can be run there.

Goals (aka. expected user outcomes)

This will add an additional layer of security that goes beyond enforcing that images from official Red Hat product registries need to have a valid signature but also that in vital core namespaces of OpenShift only such images can be executed. This protects from attacks against the core payload index image or malicious users attempting to launch workloads in OpenShift core namespaces to exilftrate information.

Requirements (aka. Acceptance Criteria):

• a wild-card pattern in the scope property of (Cluster)ImagePolicy that enforces the signature validation for any image
• ImagePolicy instances in all OpenShift core-namespaces that are scoped to any image having to pass verification against the Red Hat signing key
• a capability to turn off these policies, e.g. for troubleshooting

Customer Considerations

Before the customer updates to a cluster version enforcing these policies a preflight update check must exist that warns the user about any custom pods in these namespaces that would not be restarted after the cluster update.