You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the solution you'd like
We would like for NetApp Trident to support image shas instead of tags. SHAs provide an immutable identifier for a container image, whereas tags can be applied to any image.
Describe alternatives you've considered
To use image tags instead of SHAs.
Additional context
GKE CIS Benchmark 5.10.4 Ensure use of Binary Authorization
Binary Authorization helps to protect supply-chain security by only allowing images with verifiable cryptographically signed metadata into the cluster.
Rationale:
Binary Authorization provides software supply-chain security for images that are deployed to GKE from Google Container Registry (GCR) or another container image registry.
Binary Authorization requires images to be signed by trusted authorities during the development process. These signatures are then validated at deployment time. By enforcing validation, tighter control over the container environment can be gained by ensuring only verified images are integrated into the build-and-release process.
Impact:
Care must be taken when defining policy in order to prevent inadvertent denial of container image deployments. Depending on policy, attestations for existing container images running within the cluster may need to be created before those images are redeployed or pulled as part of the pod churn.
To prevent key system images from being denied deployment, consider the use of global policy evaluation mode, which uses a global policy provided by Google and exempts a list of Google-provided system images from further policy evaluation.
The text was updated successfully, but these errors were encountered:
Describe the solution you'd like
We would like for NetApp Trident to support image shas instead of tags. SHAs provide an immutable identifier for a container image, whereas tags can be applied to any image.
Describe alternatives you've considered
To use image tags instead of SHAs.
Additional context
GKE CIS Benchmark 5.10.4 Ensure use of Binary Authorization
Binary Authorization helps to protect supply-chain security by only allowing images with verifiable cryptographically signed metadata into the cluster.
Rationale:
Binary Authorization provides software supply-chain security for images that are deployed to GKE from Google Container Registry (GCR) or another container image registry.
Binary Authorization requires images to be signed by trusted authorities during the development process. These signatures are then validated at deployment time. By enforcing validation, tighter control over the container environment can be gained by ensuring only verified images are integrated into the build-and-release process.
Impact:
Care must be taken when defining policy in order to prevent inadvertent denial of container image deployments. Depending on policy, attestations for existing container images running within the cluster may need to be created before those images are redeployed or pulled as part of the pod churn.
To prevent key system images from being denied deployment, consider the use of global policy evaluation mode, which uses a global policy provided by Google and exempts a list of Google-provided system images from further policy evaluation.
The text was updated successfully, but these errors were encountered: