New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow specifying ImagePullSecrets in ClusterImagePolicies #1655
Comments
@tcnghia We are working on adding support to ClusterImagePolicy where you could specify where to look for the signatures. These changes and others are coming from the following design document https://docs.google.com/document/d/1gBLEOOHWOmvHVsoJbgGU74GdwA6CGxMRp3MAeEB50l4/edit#. |
@hectorj2f I see. Thanks for pointing out. I am not sure if we should close this bug or re-use it to track part of the the design doc implementation? You know better than me about what the right thing to do for the repo, so I'll let you close or leave open as necessary. Thanks! |
This issue is related to #1651 |
Going to start working on this. The proposed change is adding "signaturePullSecrets" field to authority source types to access secrets containing registry source credentials. |
@DennyHoang Is there any test bit for 1.9 or when will 1.9 be released? I am trying to use cosigned with GCP's gcr.io with 1.8 but stuck in the permission against private repository (gcr.io). Is there any workaround I could test before 1.9?
|
@shawnho1018 Are the signature and the container in the same registry or different registries? If they are in the same registry, have you tried passing a service account with the imagePullSecrets to the Pod Spec? |
@elfotografo007 Signature and container are in the same registry. |
Description
Currently
cosigned
uses ImagePullSecrets through the PodSpec-providing resources (#801). However, there is no guarantee that signatures are stored in the same repository of the image (for instance, ifCOSIGN_REPOSITORY
was set when signing).If we can specify ImagePullSecrets in the ClusterImagePolicies,
cosigned
can use them for verification.The text was updated successfully, but these errors were encountered: