Trusted Tasks PoC #834
Comments
wlynch
added
the
kind/feature
|
@lukehinds @nadgowdas It was pointed out to us that this idea is really similar to your work in https://github.com/OpenSecureSupplyChain/tkn-admcontroller I still need to dig into that repo a bit more, but would love to hear any thoughts / feedback / things to watch out for from your prototyping. |
|
@wlynch I don't think we got to far with that, but I would say borrow what you need. I seem to recall @nadgowdas had a TEP open as well. Good to see this underway, I will share with the sigstore community to see if others would like to help |
|
thanks for connecting @wlynch. We also had some discussion with Jim Bugwadia from Kyverno to see if such enforcement can be applied through kyverno policies. I had collected some thoughts in this doc: https://docs.google.com/document/d/1r2M9jVcL7fs7Edyzr30fV8pcVhxKUkgSmrFNuTXNKtg/edit?usp=sharing If you have any thoughts let us know. |
|
sgtm! @tektoncd/governing-board - need at least one other approval @nadgowdas is there a group I need to join to get access to the doc? p.s. re Kyverno, an important requirement for a solution in Tekton would be that it was compatible with mulitple policy engines and that we avoided coupling Tekton to any solution in particular (there has been some discussion around this in TEP-0035 in the conteext of applying security policies as a whole) |
|
@bobcatfish I completely agree with you to have such admission checks generic and not tied to one solution. |
|
sgtm too ! (count this as an approval 😛 ) |
Initial directory creation with initial OWNERS file. Proposed and approved in tektoncd#834
Initial directory creation with initial OWNERS file. Proposed and approved in tektoncd#834
Initial directory creation with initial OWNERS file. Proposed and approved in tektoncd#834
Initial directory creation with initial OWNERS file. Proposed and approved in #834
|
Issues go stale after 90d of inactivity. /lifecycle stale Send feedback to tektoncd/plumbing. |
tekton-robot
added
the
lifecycle/stale
|
Stale issues rot after 30d of inactivity. /lifecycle rotten Send feedback to tektoncd/plumbing. |
tekton-robot
added
lifecycle/rotten
|
Rotten issues close after 30d of inactivity. /close Send feedback to tektoncd/plumbing. |
|
@tekton-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Feature request
We're planning on creating a new sub-directory to prototype a trusted tasks admission controller. This is originally inspired by @squee1945's original TEP tektoncd/community#537.
To start, our plan is to prototype an admission controller with annotation based signatures before reopening a TEP for any Pipeline API changes.
A lot of this work/design is still TBD, but creating this issue to track and have a place for discussion.
In progress design doc (still very rough): https://hackmd.io/93mfJPyDQKCyn0IKwjzgWQ
/cc @Yongxuanzhang
Use case
Same motivation as tektoncd/community#537 - implement a mechanism to trust task content in order to have more trust in what is being executed + task results that are being returned (i.e. how can we have more trust that the
gittask is actually doing git things?)The text was updated successfully, but these errors were encountered: