feat: enable `require-image-signature` policy as `audit`

added kindenhancement priority6 statusdoing labels

marked this merge request as draft

added 6 commits

9c52b0fd - istio update to 1.19.0-bb.2
b67c27ee - elasticsearchKibana update to 1.4.0-bb.1
50aae707 - kiali update to 1.74.0-bb.2
d681f0a1 - monitoring update to 51.1.0-bb.2
bf941ac7 - gitlab update to 7.4.1-bb.2
89612db7 - rm toggles, hardcode behavior to `Audit`

changed title from Draft: feat: add require-image-signature policy toggle to Draft: feat: enable require-image-signature policy {+as audit+}

Investigating why clean install fails on kyverno-policies with the following error:

Events:
  Type     Reason  Age                From             Message
  ----     ------  ----               ----             -------
  Normal   info    96s                helm-controller  HelmChart 'bigbang/bigbang-kyverno-policies' is not ready
  Normal   info    63s (x2 over 93s)  helm-controller  dependencies do not meet ready condition (dependency 'bigbang/kyverno' is not ready), retrying in 30s
  Normal   info    12s (x5 over 33s)  helm-controller  Helm install has started
  Warning  error   10s (x5 over 31s)  helm-controller  Helm install failed: 1 error occurred:
           * admission webhook "validate-policy.kyverno.svc" denied the request: spec.rules[0].verifyImages[0].mutateDigest: Invalid value: true: mutateDigest must be set to false for ‘Audit’ failure action

Last Helm logs:

creating 32 resource(s)
  Normal   info   9s (x5 over 31s)  helm-controller  Helm uninstall succeeded
  Warning  error  9s (x5 over 31s)  helm-controller  reconciliation failed: Helm install failed: 1 error occurred:
           * admission webhook "validate-policy.kyverno.svc" denied the request: spec.rules[0].verifyImages[0].mutateDigest: Invalid value: true: mutateDigest must be set to false for ‘Audit’ failure action

Fixed in !3286 (f3028187)

added 1 commit

a2862206 - fix failed ci test

Compare with previous version

added 47 commits

a2862206...2ecec767 - 46 commits from branch master
3969b0bf - Merge branch 'master' into '1777-kyverno-policy-verify-ib-image'

Compare with previous version

added 1 commit

f3028187 - mv digest blocks to correct imageRef

Compare with previous version

changed the description

added 3 commits

f3028187...7b7a9005 - 2 commits from branch master
0302ee6d - Merge branch 'master' into 1777-kyverno-policy-verify-ib-image

Compare with previous version

removed statusdoing label

added statusreview label

marked this merge request as ready

requested review from @chris.oconnell and @ryan.j.garcia

@ryan.j.garcia @chris.oconnell should we enable image verification in the test/tests-values.yaml?

We would add this to the test values:

  require-image-signature:
    enabled: true
    validationFailureAction: enforce

This would enable the kyverno policy to ensure all images deployed from IB were verified with cosign signatures.

added 1 commit

3377fd34 - enforcing kyverno require-image-signature on test values

Compare with previous version

resolved all threads

mentioned in issue #1777 (closed)

requested review from @ryan.thompson.44 and @michaelmartin

@rgsjustins @andrewshoell : You have been tagged in this merge request for the purpose of conducting secondary review.

added 1 commit

d8655a19 - Update values.yaml `Audit` -> `audit` for consistency

Compare with previous version

lgtm -

approved this merge request

changed milestone to %2.14.0

approved this merge request

added all-packages label

added debug label

unapproved this merge request

approved this merge request

merged

mentioned in commit edadecb2

mentioned in merge request big-bang/customers/template!65 (closed)

feat: enable `require-image-signature` policy as `audit`

Package Merge Request

Package Changes

Package MR

For Issue

Merged by Ryan Garcia 1 year ago (Oct 24, 2023 8:19pm UTC) 1 year ago

Activity

Admin message

Admin message

feat: enable `require-image-signature` policy as `audit`

Package Merge Request

Package Changes

Package MR

For Issue

Merge request reports

Merged by Ryan Garcia 1 year ago (Oct 24, 2023 8:19pm UTC) 1 year ago

Activity