all images needs to sign while cosignwebhook expects signatures

[eumel8]

version 4.0.3

at the moment all container and init-container (also injected init-container by istio, dynatrace) needs to sign, otherwise cosignwebhok will deny the Admission request. Also different keys seems not possible.

needs to test further

cc. @puffitos

[puffitos]

This happens because of the first functionality we introduced in our webhook - the default fallback secret named cosignwebhook. If someone is using this secret in their deployments, then ALL containers will be checked based on that secret (except if other environment variables are defined as public keys in the containers themselves).

I had a couple of ideas on how to handle this. One is specific to the problem (the problem is an injected dynatrace-operator container, when the user is only deploying one container originally).

• We add a global map of known images and their public keys as a configuration parameter to the cosignwebhook. We let the webhook check for well-known signatures, if the customer hasn't provided one.
• We introduce an IGNORE_LIST, which defines images that shouldn't be verified at all. This seems like a security problem waiting to happen (someone hijacks a tag and deploys a malicious image in a cluster)
• We deprecate this old functionality
• We ask for an explicit Env Variable in the deployment (like COSIGNWEBHOOK_SECRET_FALLBACK) to activate the fallback secret selection.

What do you think @eumel8?

[eumel8]

The global map seems useful but a kind of intransparent if the user want's full control over the deployment. Deprecation is an option, let's rollout the last release and collect feedback from the customer.

[puffitos]

@eumel8 deprecation seems like the best option to me as well going forward. OK, let's see what the users want as we'll and tackle this at a later time.