Consider restricting awskms:// options for admission control
#1930
Assignees
Labels
enhancement
New feature or request
Comments
|
Yes, i am happy with restricting it. I also find it complex and we already had several bugs about it. |
vaikas
added a commit
to vaikas/cosign
that referenced
this issue
Jun 2, 2022
Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
dlorenc
pushed a commit
that referenced
this issue
Jun 2, 2022
* fix: fix #1930 for AWS KMS formats Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * use v2 of aws go-sdk, didn't realize there was one. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Fix the lint + add missing authorities section to test crds. doh. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * can't even Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * Actually validate keyless ca-cert as keyref. Yikes. Signed-off-by: Ville Aikas <vaikas@chainguard.dev> * also v1beta1. Signed-off-by: Ville Aikas <vaikas@chainguard.dev>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I was looking at the AWS KMS options here: https://github.com/sigstore/cosign/blob/main/KMS.md#aws
There are soooo many ways of expressing the same key, but some of these forms only partially specify things and lean on the environment (e.g.
AWS_REGION) and I don't think we should support these forms in ClusterImagePolicy.I think we should require one of the form(s):
awskms://[host]/{arn}where:hostis the optional endpoint, andarnis either the key ARN or an alias ARN.@hectorj2f @vaikas WDYT?
The text was updated successfully, but these errors were encountered: