-
Notifications
You must be signed in to change notification settings - Fork 101
Rewrite imageAllowRules logic - Secure by Default #1549
Comments
@ibuildthecloud & @cjellick can I have your eyes on this, please? |
I wonder if we want |
That "allow everything" rule would need to be removed by a project admin before making use of any other IAR, right? |
Just a project admin. Like, the clsuter admin, when installing acorn, would set that flag so that every project got a permissive policy. If a particular project did not want the permissive policy, they would just delete it. of course, this gets into the complexity of creating it in a "handler" and how to prevent the handler from re-creating it periodically. ...I've talked myself out of it. Don't add the install flag 😅 |
|
EDIT: I figured that (1.) is exactly what I proposed in the issue description 😅 |
Answer to (1.) following yesterday's meeting: We just add |
@ibuildthecloud copying this over from Slack: I was typing a long write-up here about how to create the IARs from the Client-Side when I realized that for the Acornfile implementation of IAR we will anyway need all the Client functions to handle them, right? |
#1549) (#1571) - New flag `--features`, e.g. `--features image-allow-rules=true` - If ImageAllowRules are enabled, projects are secured by default, so that you have to create an IAR to allow an image - If an image is disallowed, we now prompt to allow it - The IAR CR now has an `images` field that uses the Auto-Upgrade Pattern logic to scope an IAR to a specific set of images matching that pattern
|
#1678 is validated and closed now. Closing this issue . |
As discussed in yesterday's standup, this will be the new way to go with imageAllowRules:
Extra Notes / Quotes:
Concept Drawing
Design
Example IAR with only the image scope section (no signatures required), would allow all images just matching that pattern:
Extra Questions
-> A: Not for now
Answers
The text was updated successfully, but these errors were encountered: