Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support air-gap / mirror registry with simple signing. #92

Closed
sjhx opened this issue Mar 26, 2020 · 1 comment · Fixed by #232
Closed

Support air-gap / mirror registry with simple signing. #92

sjhx opened this issue Mar 26, 2020 · 1 comment · Fixed by #232

Comments

@sjhx
Copy link
Member

sjhx commented Mar 26, 2020

The simple signing signature identity by default verifies that the image reference in the signature matches the refeference specified in the kubernetes resource in full. This means that if the image is phisically moved to another location it is considered to be no longer the same logical image.

We need to allow for physical transport to be separated from the logical identity in order that air-gap and mirror architectures are supported.

@sjhx
Copy link
Member Author

sjhx commented Apr 2, 2020

It is possible to support moved images using for example "matchExactRepository" identity requirement but more or less one policy per image is required.
We could build some image name mangling in to Portieris and creating the policy dynamically for the container/image verifier to handle, perhaps better would be additional identity options in the "container/image" library.
Ref:
containers/image#807
and
containers/image#884

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

1 participant