You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Some system to let people specify policies that images must adhere to before being able to be pushed or pulled, using some policy language like OPA's Rego, CEL, something along those lines.
E.g., to be able to push to policy.kontain.me/org/app/image the following policy might be put in place:
must be based on some approved base image (alpine:latest, not alpine:vulnerable)
must not contain a file matching some regex (/etc/bad.exe)
must be signed by cosign (signature policies can also apply)
because signatures will probably get pushed after the image, this might mean "delete unsigned images after N seconds"
To be able to pull the image, a policy might be:
only allow pull by digest
must have no unresolved/unacked vulnerabilities (in case new vulns were reported after it was pushed)
rate limiting?
Policies, in whatever language, could be bundled into images themselves, at some standard location (policy.kontain.me/org:policy), and apply to pushes/pulls for all images in the hierarchy. Only superusers would be allowed to push to org:policy, and define the policy for users who can push to app:policy or app/image:policy.
Defining policies in a registry means they're content-addressed and portable across registries. It probably makes sense to also track tag history somewhere, so you can audit and rollback.
Accepting pushes requires auth(n,z), which kontain.me hasn't played with yet.
The text was updated successfully, but these errors were encountered:
Some system to let people specify policies that images must adhere to before being able to be pushed or pulled, using some policy language like OPA's Rego, CEL, something along those lines.
E.g., to be able to push to
policy.kontain.me/org/app/imagethe following policy might be put in place:alpine:latest, notalpine:vulnerable)/etc/bad.exe)To be able to pull the image, a policy might be:
Policies, in whatever language, could be bundled into images themselves, at some standard location (
policy.kontain.me/org:policy), and apply to pushes/pulls for all images in the hierarchy. Only superusers would be allowed to push toorg:policy, and define the policy for users who can push toapp:policyorapp/image:policy.Defining policies in a registry means they're content-addressed and portable across registries. It probably makes sense to also track tag history somewhere, so you can audit and rollback.
Accepting pushes requires auth(n,z), which kontain.me hasn't played with yet.
The text was updated successfully, but these errors were encountered: