Enforce Pipeline Task runs via Policies?

[ChrisJBurns]

So currently we have Pipeline and PipelineRun, and the power is that you can reuse pipeline definitions - which is good. However, if a developer wanted to remove specific tasks from a pipeline definition, let's say, remove the unit testing task from the pipeline for whatever bad reason they can come up with, this would mean that, depending on the pipeline run, it could end up building an image and then pushing to the OCI registry and then eventually being deployed into the cluster. Now, that would mean the service would be deployed but it was never tested in the pipeline. This is currently possible in Tekton, the developer has the power to change the pipeline definition.

I'm proposing that we possibly look at "policies". Where TektonPipelinePolicy are essentially policies that dictate exactly what MUST happen for a pipeline to pass or be valid. This policy can then be controlled by a security team or anyone that wants to own that responsibility - the developers would not then be able to change a pipeline to remove tasks that are mandated by the policy. This adds an extra level of security to the pipelines because there are now a bunch of user specified tasks that MUST be run in a pipeline.

Welcome thoughts.

[dibyom]

hey @ChrisJBurns - have you looked at OPA or Gatekeeper to enforce policies?

[ChrisJBurns]

We have Kyverno running inside our cluster instead of Gatekeeper, however would this allow you to enforce that certain steps within a pipeline have run in order to mark it as an official build. So disabling the capability that a developer can run the publishImage task to a registry unless it has run specified task before it?