Consider restricting awskms://
options for admission control
#1930
Labels
enhancement
New feature or request
awskms://
options for admission control
#1930
I was looking at the AWS KMS options here: https://github.com/sigstore/cosign/blob/main/KMS.md#aws
There are soooo many ways of expressing the same key, but some of these forms only partially specify things and lean on the environment (e.g.
AWS_REGION
) and I don't think we should support these forms in ClusterImagePolicy.I think we should require one of the form(s):
awskms://[host]/{arn}
where:host
is the optional endpoint, andarn
is either the key ARN or an alias ARN.@hectorj2f @vaikas WDYT?
The text was updated successfully, but these errors were encountered: