You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The simple signing signature identity by default verifies that the image reference in the signature matches the refeference specified in the kubernetes resource in full. This means that if the image is phisically moved to another location it is considered to be no longer the same logical image.
We need to allow for physical transport to be separated from the logical identity in order that air-gap and mirror architectures are supported.
The text was updated successfully, but these errors were encountered:
It is possible to support moved images using for example "matchExactRepository" identity requirement but more or less one policy per image is required.
We could build some image name mangling in to Portieris and creating the policy dynamically for the container/image verifier to handle, perhaps better would be additional identity options in the "container/image" library.
Ref: containers/image#807
and containers/image#884
The simple signing signature identity by default verifies that the image reference in the signature matches the refeference specified in the kubernetes resource in full. This means that if the image is phisically moved to another location it is considered to be no longer the same logical image.
We need to allow for physical transport to be separated from the logical identity in order that air-gap and mirror architectures are supported.
The text was updated successfully, but these errors were encountered: