You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We are getting sigstore integration in kubewarden, which is really good news, because we will be able to enforce image verification on Kubernetes clusters!
But that brings a question - should we somehow verify sigstore signatures in lockc as well? There are two reasons why it might be a good idea:
making sure that no one modified the image after admission and before container runtime actually starts a container - to exclude MITM scenarios on nodes
that would easily bring sigstore support for local container runtimes (docker, podman)
Topics to research:
How the integration could look like?
Is lockc really a good place to do that? After all, lockc is meant to be a BPF LSM engine. sigstore might be far away from that area. Maybe it would make more sense to have a separate project for sigstore? Maybe some OCI hook? But on the other hand, maybe widening the topics of interests of lockc would be good and even a separate OCI hook would be easy to include? Think about all pros and cons.
We are getting sigstore integration in kubewarden, which is really good news, because we will be able to enforce image verification on Kubernetes clusters!
But that brings a question - should we somehow verify sigstore signatures in lockc as well? There are two reasons why it might be a good idea:
Topics to research:
/cc @agracey
The text was updated successfully, but these errors were encountered: