-
Notifications
You must be signed in to change notification settings - Fork 783
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Verify Image Policies in air gapped environment with TUF cache #8691
Comments
Thanks for opening your first issue here! Be sure to follow the issue template! |
Hi @j1nka
We are only initialising TUF when the flag, enableTUF is set to true otherwise we will just return. Lines 12 to 15 in adfa193
|
@vishal-chdhry Hi! Thanks for your reply! Yes, it does. But it looks like that there are two options: Option 1 - Without TUF initialization:
Option 2 - With TUF initialization:
Maybe i'm wrong, but i have some tests which approved the above statetments. Trying to find more information in code :) |
@j1nka You can use the |
@vishal-chdhry thanks! you mean something like this:
? |
@j1nka Yes |
Problem Statement
Hi!
If I'm right Kyverno will always try to get up-to-date keys from TUF and so it needs Internet connection. It calls
tuf.Initialize()
, which always will try to update TUF because oftrue
ininitializeTUF()
.This may not be the best option in aig-gapped environment, where clusters doesn't have direct access to the Internet.
Solution Description
TUF itself has another function -
newFromEnv()
, which will try to use local cache if present and it's not forcing TUF update (false
ininitializeTUF()
.It's possible to add this cache data to Kyverno pods. For example:
remote.json
,tuf.db
,targets
emptyDir
through ConfigMaps (for example)Yes, there is another issue - we need to keep this data up-to-date, but it's still possible and not looks like tough task.
And there should be not so many code changes in Kyverno. Maybe we can add flag like
useTufOffline
(bool) and make something like this (incmd\intenal\tuf.go
):What do you think about it? Or this idea is not good at all? Thanks!
Alternatives
No response
Additional Context
No response
Slack discussion
No response
Research
The text was updated successfully, but these errors were encountered: